CVE-2026-42320
File Read Vulnerability in GLPI IT Asset Management Software
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| glpi_project | glpi | From 0.50 (inc) to 11.0.0 (exc) |
| glpi_project | glpi | 10.0.25 |
| glpi_project | glpi | 11.0.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows a technician with high privileges to read arbitrary files within the GLPI_DOC_DIR directory, which results in a high impact on confidentiality.
Since confidentiality of data is a critical aspect of compliance with standards such as GDPR and HIPAA, this vulnerability could potentially lead to non-compliance if sensitive personal or health information is exposed.
However, the vulnerability requires high privileges to exploit and does not affect integrity or availability.
Upgrading to patched versions 10.0.25 or 11.0.7 is recommended to mitigate this risk and help maintain compliance.
Can you explain this vulnerability to me?
CVE-2026-42320 is a vulnerability in GLPI, an open-source IT asset management software, that allows a technician with sufficient privileges to read arbitrary files within the GLPI_DOC_DIR directory.
The affected versions include all releases from 0.50 up to but not including 11.0.0, as well as versions 11.0.0 and later. The issue has been patched in versions 10.0.25 and 11.0.7.
Exploitation requires high privileges, the attack vector is network-based, and the attack complexity is high, with no user interaction required.
How can this vulnerability impact me? :
This vulnerability allows a technician with high privileges to read arbitrary files inside the GLPI_DOC_DIR directory, which can lead to unauthorized disclosure of sensitive information.
The impact is primarily on confidentiality, with no direct effect on integrity or availability of the system.
Because the attack requires high privileges and has high attack complexity, the risk is moderate but still significant for sensitive environments.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade GLPI to version 10.0.25 or 11.0.7 or later, where the issue has been patched.
Ensure that only trusted technicians with high privileges have access to the GLPI system to reduce the risk of exploitation.