VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 3, 2026

CVE-2026-42320

CVE-2026-42320

Description

GLPI versions prior to 10.0.25 and 11.0.7 allow technicians to read arbitrary files within the GLPI_DOC_DIR.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GLPI versions prior to 10.0.25 and 11.0.7 allow technicians to read arbitrary files within the GLPI_DOC_DIR.

Vulnerability

GLPI versions starting from 0.50 and prior to 10.0.25 and 11.0.7 are vulnerable to arbitrary file reads within the GLPI_DOC_DIR. This vulnerability affects the core functionality of the asset and IT management software [1].

Exploitation

An attacker with technician privileges within GLPI can exploit this vulnerability. The attacker needs to be able to access the GLPI interface and leverage their existing technician role to read arbitrary files from the GLPI_DOC_DIR [1].

Impact

Successful exploitation allows a technician to read any file located within the GLPI_DOC_DIR. This could lead to the disclosure of sensitive information stored in these files, depending on the contents and the configuration of the GLPI installation [1].

Mitigation

GLPI versions 10.0.25 and 11.0.7 contain a patch for this vulnerability. Users are advised to upgrade to these versions or later to resolve the issue. Information regarding workarounds or EOL status is not yet disclosed in the available references [1].

References
  1. Arbitrary files access

AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Glpi Project/Glpiinferred2 versions
    >=0.50,<10.0.25,>=10.0.25,<11.0.7+ 1 more
    • (no CPE)range: >=0.50,<10.0.25,>=10.0.25,<11.0.7
    • (no CPE)range: <10.0.25, <11.0.7

Patches

4
3389dbf83623

Merge commit from fork

https://github.com/glpi-project/glpiCédric AnneApr 29, 2026Fixed in 10.0.25via llm-release-walk
commit
1 file changed · +1 1
  • src/Lock.php+1 1 modified
    @@ -284,7 +284,7 @@ public static function showForItem(CommonDBTM $item)
                     if ($default_items_id !== null && is_a($row['itemtype'], CommonDBRelation::class, true)) {
                         $related_object = new $default_itemtype();
                         $related_object->getFromDB($object->fields[$default_items_id]);
-                        $default_object_link = "<a href='" . $object->getLinkURL() . "'" . $related_object->getName() . ">" . $related_object->getName() . "</a>";
+                        $default_object_link = "<a href='" . $object->getLinkURL() . "'>" . $related_object->getName() . "</a>";
                     }
 
                     echo "<td class='left'>" . $default_itemtype_label . "</td>";
752c8eeb041a

Make document `filepath` and `sha1sum` readonly

https://github.com/glpi-project/glpiSebastien MonterisiApr 9, 2026Fixed in 10.0.25via llm-release-walk
commit
2 files changed · +89 12
  • phpunit/functional/DocumentTest.php+71 0 modified
    @@ -180,6 +180,77 @@ public function testPrepareInputForAdd()
         $this->assertSame('Document: Computer - Documented Computer', $prepare['name']);
     }
 
+    public function testPrepareInputForAddIgnoreBlacklistedFields(): void
+    {
+        $_ignored = 'should_be_ignored';
+        $input = ['name' => 'legit name', 'filepath' => $_ignored, 'sha1sum' =>  $_ignored];
+        $prepare = (new \Document())->prepareInputForAdd($input);
+
+        $this->assertArrayNotHasKey('filepath', $prepare);
+        $this->assertArrayNotHasKey('sha1sum', $prepare);
+    }
+
+    /**
+     * Ensure filepath and sha1sum are not updated by prepareInputForUpdate, even if they are present in the input.
+     */
+    public function testPrepareInputForUpdateIgnoreBlacklistedFields(): void
+    {
+        $_ignored = 'should_be_ignored';
+        $input = ['name' => 'legit name', 'filepath' => $_ignored, 'sha1sum' =>  $_ignored];
+
+        $doc_id = (new \Document())->add(['name' => 'le document']);
+        $prepare = (new \Document())->prepareInputForUpdate($input + ['id' => $doc_id]);
+
+        $this->assertArrayNotHasKey('filepath', $prepare);
+        $this->assertArrayNotHasKey('sha1sum', $prepare);
+    }
+
+    public function testPrepareInputForUpdateIgnoreBlacklistedFieldsWithUpload(): void
+    {
+        $this->login();
+
+        // Create a document with a mocked file upload
+        $mdoc = $this->getMockBuilder(\Document::class)
+            ->onlyMethods(['moveUploadedDocument'])
+            ->getMock();
+        $mdoc->method('moveUploadedDocument')->willReturn(true);
+
+        $doc_id = $mdoc->add([
+            'name'        => 'test document with upload',
+            'upload_file' => 'filename.txt',
+        ]);
+        $this->assertGreaterThan(0, $doc_id);
+
+        // Read back the stored values right after the upload-add
+        $doc = new \Document();
+        $this->assertTrue($doc->getFromDB($doc_id));
+        $original_filepath = $doc->fields['filepath'];
+        $original_sha1sum  = $doc->fields['sha1sum'];
+
+        // Attempt to update the document with blacklisted fields
+        $_fake = 'should_be_ignored';
+        $doc->update([
+            'id'       => $doc_id,
+            'name'     => 'updated name',
+            'filepath' => $_fake,
+            'sha1sum'  => $_fake,
+        ]);
+
+        // Re-read from DB and verify blacklisted fields were NOT overwritten
+        $doc_after = new \Document();
+        $this->assertTrue($doc_after->getFromDB($doc_id));
+
+        $this->assertNotSame($_fake, $doc_after->fields['filepath']);
+        $this->assertNotSame($_fake, $doc_after->fields['sha1sum']);
+
+        // Values must be identical to what they were right after the upload
+        $this->assertSame($original_filepath, $doc_after->fields['filepath']);
+        $this->assertSame($original_sha1sum, $doc_after->fields['sha1sum']);
+
+        // Non-blacklisted field must have been updated correctly
+        $this->assertSame('updated name', $doc_after->fields['name']);
+    }
+
     /** Cannot work without a real document uploaded.
      *  Mock would be a solution but GLPI will try to use
      *  a table based on mocked class name, this is wrong.
  • src/Document.php+18 12 modified
    @@ -234,10 +234,7 @@ public function prepareInputForAdd($input)
         /** @var array $CFG_GLPI */
         global $CFG_GLPI;
 
-        // security (don't accept filename from $_REQUEST)
-        if (array_key_exists('filename', $_REQUEST)) {
-            unset($input['filename']);
-        }
+        $input = $this->filterFields($input);
 
         // current_filename is not necessary (item is new, current_filename should not exists)
         // but used for display can lead to wrong file deletion in moveDocument() and moveUploadedDocument()
@@ -279,9 +276,6 @@ public function prepareInputForAdd($input)
         } elseif (isset($input["upload_file"]) && !empty($input["upload_file"])) {
             // Move doc from upload dir
             $upload_ok = $this->moveUploadedDocument($input, $input["upload_file"]);
-        } elseif (isset($input['filepath']) && file_exists(GLPI_DOC_DIR . '/' . $input['filepath'])) {
-            // Document is created using an existing document file
-            $upload_ok = true;
         }
 
         // Tag
@@ -403,11 +397,7 @@ public function post_getFromDB()
 
     public function prepareInputForUpdate($input)
     {
-
-        // security (don't accept filename from $_REQUEST)
-        if (array_key_exists('filename', $_REQUEST)) {
-            unset($input['filename']);
-        }
+        $input = $this->filterFields($input);
 
         if (isset($input['current_filepath'])) {
             // Always use the values stored in DB to prevent arbitrary file deletion
@@ -2051,4 +2041,20 @@ public function checkAvailability(string $filename): bool
 
         return true;
     }
+
+    /**
+     * Remove $input fields that should not be provided by user input
+     *
+     * @param  array<string, mixed> $input
+     * @return array<string, mixed>
+     */
+    private function filterFields(array $input): array
+    {
+        if (array_key_exists('filename', $_REQUEST)) {
+            unset($input['filename']);
+        }
+
+        $blacklisted = ['filepath', 'sha1sum'];
+        return array_filter($input, static fn($v, $k) => !in_array($k, $blacklisted), ARRAY_FILTER_USE_BOTH);
+    }
 }
0ea900cb51a3

Bump version

https://github.com/glpi-project/glpiJohan CwiklinskiApr 29, 2026Fixed in 11.0.7via release-tag
commit
1 file changed · +1 1
  • src/autoload/constants.php+1 1 modified
    @@ -40,7 +40,7 @@
 define('GLPI_ROOT', dirname(__DIR__, 2));
 
 // Current version of GLPI
-define('GLPI_VERSION', '11.0.7-dev');
+define('GLPI_VERSION', '11.0.7');
 
 $schema_file = sprintf('%s/install/mysql/glpi-empty.sql', GLPI_ROOT);
 define(
d91722c60d75

Bump version

https://github.com/glpi-project/glpiJohan CwiklinskiApr 29, 2026Fixed in 10.0.25via release-tag
commit
1 file changed · +1 1
  • inc/define.php+1 1 modified
    @@ -36,7 +36,7 @@
 use Glpi\SocketModel;
 
 // Current version of GLPI
-define('GLPI_VERSION', '10.0.25-dev');
+define('GLPI_VERSION', '10.0.25');
 
 $schema_file = sprintf('%s/install/mysql/glpi-empty.sql', GLPI_ROOT);
 define(

Vulnerability mechanics

Root cause

"The software does not properly restrict access to files within the GLPI_DOC_DIR."

Attack vector

A technician user can exploit this vulnerability by crafting a specific request that manipulates file paths. This allows them to read arbitrary files from the GLPI_DOC_DIR, potentially exposing sensitive information. The vulnerability affects versions prior to 10.0.25 and 11.0.7.

Affected code

The vulnerability resides in the code that handles file access within the GLPI_DOC_DIR. While specific code paths are not detailed in the provided information, the patches indicate changes in `src/autoload/constants.php` [patch_id=4683551] and `inc/define.php` [patch_id=4683550], which are related to version definitions.

What the fix does

The patches address this vulnerability by updating the GLPI_VERSION constant in the respective files. Specifically, patch_id=4683551 updates `src/autoload/constants.php` and patch_id=4683550 updates `inc/define.php`. These changes align the version numbers to the patched releases, indicating that the underlying security flaw has been resolved in versions 10.0.25 and 11.0.7.

Preconditions

  • authThe attacker must have technician privileges within GLPI.

Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.