Auth bypass in Glpi-project Glpi

CVE-2026-42320

GLPI is a free asset and IT management software package. Starting in version 0.50 and prior to versions 10.0.25 and 11.0.7, a technician can read arbitrary files inside the GLPI_DOC_DIR. Upgrade to 10.0.25 or 11.0.7 to receive a patch.

Vulnerability class: Broken Access Control

EPSS: 0.000 (10.9th percentile) — read the EPSS interpretation.

Affected products

Glpi-project Glpi — versions >= 11.0.0, < 11.0.7, >= 0.50, < 10.0.25

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

security-advisories@github.com (x_refsource_CONFIRM)