CVE-2026-32312

Vulnerability

GLPI, a free asset and IT management software, contains an authorization bypass vulnerability in versions 11.0.0 through 11.0.6. An authenticated user with the forms READ permission can export the structure of forms they are not authorized to access, violating access controls [1]. The issue was fixed in version 11.0.7 [2].

Exploitation

To exploit this vulnerability, an attacker must have a valid authenticated session on a GLPI instance running an affected version and possess the forms READ permission. No additional privileges or special network position beyond normal application access is required. The attacker can then use the form export functionality to retrieve the structure of forms that should be restricted, without needing any special conditions or race window [1].

Impact

Successful exploitation allows an attacker to gain unauthorized access to the structure of forms in GLPI. This constitutes an information disclosure vulnerability, potentially revealing sensitive form designs, field definitions, and data schemas. The confidentiality of form metadata is compromised, though direct modification or deletion of data is not achieved. The impact is limited to reading form structures, not the data within forms [1].

Mitigation

The vulnerability is fixed in GLPI version 11.0.7, released on May 19, 2026 [2]. Users should upgrade to this version or later. No workaround is provided in the available references; upgrading is the recommended mitigation [1][2].