CVE-2025-64516 Overview
CVE-2025-64516 is an Improper Access Control vulnerability affecting GLPI, a free asset and IT management software package. This vulnerability allows unauthorized users to access documents attached to any item within the GLPI system, including tickets, assets, and other sensitive resources. When the public FAQ feature is enabled, anonymous users can exploit this vulnerability without any authentication, significantly expanding the attack surface.
Critical Impact
Unauthorized access to sensitive GLPI documents including tickets, assets, and attachments. Anonymous exploitation possible when public FAQ is enabled.
Affected Products
- GLPI versions prior to 10.0.21
- GLPI versions prior to 11.0.3
- glpi-project glpi
Discovery Timeline
- 2026-01-15 - CVE CVE-2025-64516 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2025-64516
Vulnerability Analysis
This vulnerability stems from improper access control mechanisms in GLPI's document handling functionality. The core issue lies in the document relation filtering logic within src/Document.php, where the application fails to properly validate user authorization before returning document references. The vulnerability is classified as CWE-284 (Improper Access Control), indicating that the application does not adequately restrict access to sensitive resources.
The network-based attack vector requires no privileges or user interaction, making exploitation trivial for attackers. When combined with the public FAQ feature, even anonymous users can enumerate and access documents that should be restricted to authenticated users with appropriate permissions. This could expose sensitive IT asset information, support ticket contents, internal documentation, and potentially confidential attachments.
Root Cause
The root cause of this vulnerability is an incorrect SQL JOIN operation in the document retrieval logic. The vulnerable code used a LEFT JOIN operation when querying document relationships with knowledge base items, which returned results regardless of whether a matching relationship actually existed. This allowed unauthorized access to documents that should have been filtered based on item relationships and user permissions.
Attack Vector
An attacker can exploit this vulnerability by making direct requests to document endpoints within GLPI. Since the document access control is improperly implemented, the attacker can enumerate and retrieve documents attached to any item in the system. If the public FAQ is enabled, these requests can be made without any authentication, allowing anonymous access to potentially sensitive organizational data.
// Security patch from src/Document.php - Fix document relation filtering
// Source: https://github.com/glpi-project/glpi/commit/51412a89d3174cfe22967b051d527febdbceab3c
$request = [
'FROM' => 'glpi_documents_items',
'COUNT' => 'cpt',
- 'LEFT JOIN' => [
+ 'INNER JOIN' => [
'glpi_knowbaseitems' => [
'FKEY' => [
'glpi_knowbaseitems' => 'id',
The fix changes the LEFT JOIN to an INNER JOIN, ensuring that documents are only returned when a valid relationship exists with the knowledge base item, preventing unauthorized document enumeration and access.
Detection Methods for CVE-2025-64516
Indicators of Compromise
- Unusual access patterns to document endpoints from unauthenticated sessions
- High volume of document retrieval requests from single IP addresses
- Access attempts to documents associated with items the user should not have access to
- Anomalous API calls to /front/document.send.php or similar document serving endpoints
Detection Strategies
- Monitor web server access logs for unusual patterns in document download requests
- Implement alerting on document access attempts from anonymous or low-privilege sessions
- Review GLPI audit logs for document access events that do not correspond to legitimate user activity
- Deploy Web Application Firewall (WAF) rules to detect enumeration attempts against document endpoints
Monitoring Recommendations
- Enable detailed logging for all document access events in GLPI
- Configure SIEM correlation rules to detect bulk document access from single sources
- Monitor for requests to document endpoints without proper session authentication
- Track failed authorization attempts that may indicate probing activity
How to Mitigate CVE-2025-64516
Immediate Actions Required
- Upgrade GLPI to version 10.0.21 or 11.0.3 immediately
- Disable the public FAQ feature until the patch is applied if upgrading is not immediately possible
- Review access logs for any signs of exploitation
- Audit recently accessed documents to identify potential data exposure
Patch Information
The GLPI project has released security patches that address this vulnerability by correcting the SQL JOIN logic in document retrieval functions. The fix ensures proper authorization validation before returning document references.
- Version 10.0.21: GitHub Release 10.0.21
- Version 11.0.3: GitHub Release 11.0.3
- Security Advisory: GitHub Security Advisory GHSA-487h-7mxm-7r46
Workarounds
- Disable the public FAQ feature to prevent anonymous exploitation
- Implement network-level access controls to restrict GLPI access to trusted networks
- Configure reverse proxy rules to require authentication for document endpoints
- Consider temporarily restricting document attachment functionality for sensitive items
# Configuration example - Disable public FAQ in GLPI config
# Edit /etc/glpi/config.php or navigate to Setup > General > Helpdesk
# Set "Allow anonymous access to FAQ" to "No"
# Alternatively, restrict access at the web server level (Apache example)
<Location /glpi/front/document.send.php>
Require valid-user
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
