VYPR
← All advisories
High severityNVD Advisory· Published Jun 3, 2026

CVE-2026-44281

CVE-2026-44281

Description

GLPI versions prior to 10.0.25 and 11.0.7 allow authenticated users with config READ permission to access specific asset data.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GLPI versions prior to 10.0.25 and 11.0.7 allow authenticated users with config READ permission to access specific asset data.

Vulnerability

GLPI, a free asset and IT management software package, is affected by a vulnerability starting in version 0.78 and prior to versions 10.0.25 and 11.0.7. An authenticated user with config READ permission can read a specific asset object due to insufficient access controls [1].

Exploitation

An attacker must first authenticate to the GLPI system and possess the config READ permission. Once authenticated, the attacker can then access a specific asset object that they should not be able to view [1].

Impact

Successful exploitation allows an authenticated attacker to gain unauthorized read access to specific asset objects within the GLPI system. This could lead to the disclosure of sensitive IT asset information [1].

Mitigation

GLPI versions 10.0.25 and 11.0.7 contain a patch for this vulnerability. Users are advised to upgrade to these versions or later to receive the fix [1].

References
  1. Unauthorized reading of a specific asset object

AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Glpi Project/Glpiinferred2 versions
    >=0.78,<11.0.7+ 1 more
    • (no CPE)range: >=0.78,<11.0.7
    • (no CPE)range: >=0.78, <10.0.25, <11.0.7

Patches

3
3389dbf83623

Merge commit from fork

https://github.com/glpi-project/glpiCédric AnneApr 29, 2026Fixed in 10.0.25via llm-release-walk
commit
1 file changed · +1 1
  • src/Lock.php+1 1 modified
    @@ -284,7 +284,7 @@ public static function showForItem(CommonDBTM $item)
                     if ($default_items_id !== null && is_a($row['itemtype'], CommonDBRelation::class, true)) {
                         $related_object = new $default_itemtype();
                         $related_object->getFromDB($object->fields[$default_items_id]);
-                        $default_object_link = "<a href='" . $object->getLinkURL() . "'" . $related_object->getName() . ">" . $related_object->getName() . "</a>";
+                        $default_object_link = "<a href='" . $object->getLinkURL() . "'>" . $related_object->getName() . "</a>";
                     }
 
                     echo "<td class='left'>" . $default_itemtype_label . "</td>";
0ea900cb51a3

Bump version

https://github.com/glpi-project/glpiJohan CwiklinskiApr 29, 2026Fixed in 11.0.7via release-tag
commit
1 file changed · +1 1
  • src/autoload/constants.php+1 1 modified
    @@ -40,7 +40,7 @@
 define('GLPI_ROOT', dirname(__DIR__, 2));
 
 // Current version of GLPI
-define('GLPI_VERSION', '11.0.7-dev');
+define('GLPI_VERSION', '11.0.7');
 
 $schema_file = sprintf('%s/install/mysql/glpi-empty.sql', GLPI_ROOT);
 define(
d91722c60d75

Bump version

https://github.com/glpi-project/glpiJohan CwiklinskiApr 29, 2026Fixed in 10.0.25via release-tag
commit
1 file changed · +1 1
  • inc/define.php+1 1 modified
    @@ -36,7 +36,7 @@
 use Glpi\SocketModel;
 
 // Current version of GLPI
-define('GLPI_VERSION', '10.0.25-dev');
+define('GLPI_VERSION', '10.0.25');
 
 $schema_file = sprintf('%s/install/mysql/glpi-empty.sql', GLPI_ROOT);
 define(

Vulnerability mechanics

Root cause

"The vulnerability is due to insufficient access control checks allowing unauthorized reading of asset objects."

Attack vector

An authenticated user with CONFIG READ permission can exploit this vulnerability. The attacker can access specific asset objects that they should not be able to read. The advisory does not specify the exact method or payload used to trigger this unauthorized access.

Affected code

The vulnerability affects GLPI versions prior to 10.0.25 and 11.0.7. The provided patch only updates the version definition in `src/autoload/constants.php` and does not detail the specific code responsible for the access control flaw.

What the fix does

The patch addresses the vulnerability by updating the GLPI version number. The advisory indicates that upgrading to versions 10.0.25 or 11.0.7 will resolve the issue. The patch itself, as provided, only updates the version constant and does not contain specific code changes to address access control.

Preconditions

  • authThe attacker must be authenticated.
  • configThe authenticated attacker must possess CONFIG READ permission.

Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.