CVE-2025-64516 Overview
GLPI is a free, open-source asset and IT management software package used by organizations to track tickets, assets, and knowledge base content. CVE-2025-64516 is a broken access control vulnerability [CWE-284] affecting GLPI versions prior to 10.0.21 and 11.0.3. An unauthorized user can access documents attached to any item, including tickets and assets. When the public FAQ feature is enabled, anonymous users can also exploit this flaw without authentication. The GLPI project has released fixed versions 10.0.21 and 11.0.3.
Critical Impact
Remote attackers can retrieve sensitive documents attached to GLPI items without authorization, potentially exposing confidential ticket attachments, asset documentation, and other internal records.
Affected Products
- GLPI versions prior to 10.0.21 (10.x branch)
- GLPI versions prior to 11.0.3 (11.x branch)
- Instances with the public FAQ feature enabled (allows anonymous exploitation)
Discovery Timeline
- 2026-01-15 - CVE-2025-64516 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2025-64516
Vulnerability Analysis
The vulnerability resides in the document relation handling logic within GLPI's src/Document.php file. GLPI links documents to various items (tickets, assets, knowledge base articles) through the glpi_documents_items table. The access control check used a LEFT JOIN against the glpi_knowbaseitems table when evaluating whether a requester could view a document. A LEFT JOIN returns rows even when no matching knowledge base item exists, which caused the authorization check to incorrectly include documents attached to non-FAQ items.
Attackers can iterate document identifiers and retrieve attachments belonging to tickets, assets, or any other item type. When the public FAQ is enabled, no session or credentials are required to perform the request.
Root Cause
The root cause is improper access control [CWE-284] caused by an incorrect SQL join type in the document permission query. A LEFT JOIN against glpi_knowbaseitems allowed rows to pass the filter even when the document was not linked to a public FAQ item. The fix replaces the LEFT JOIN with an INNER JOIN, ensuring only documents legitimately related to public knowledge base items are returned for unauthenticated requests.
Attack Vector
Exploitation is performed over the network against the GLPI web interface. An attacker issues HTTP requests to the document retrieval endpoint, supplying document identifiers. If the public FAQ is enabled, no authentication is required. Otherwise, any low-privilege authenticated user can access documents beyond their authorization scope.
$request = [
'FROM' => 'glpi_documents_items',
'COUNT' => 'cpt',
- 'LEFT JOIN' => [
+ 'INNER JOIN' => [
'glpi_knowbaseitems' => [
'FKEY' => [
'glpi_knowbaseitems' => 'id',
Source: GLPI commit 51412a8. The patch changes the join type so that the access check only matches documents legitimately bound to a knowledge base item.
Detection Methods for CVE-2025-64516
Indicators of Compromise
- Unauthenticated HTTP GET requests to GLPI document download endpoints such as /front/document.send.php with varying docid parameters
- Sequential or scripted enumeration of document IDs originating from a single source IP
- Document retrieval requests from anonymous sessions when public FAQ is enabled
- Web server access logs showing bulk document downloads outside normal user activity windows
Detection Strategies
- Review GLPI web server access logs for unauthenticated requests to document-serving endpoints and correlate with valid session activity
- Alert on high-volume document download patterns from a single client IP or user agent
- Compare requested docid values against expected access rights to flag retrievals tied to non-FAQ items by anonymous users
- Hunt for outbound document exfiltration through proxy and DLP logs referencing GLPI hostnames
Monitoring Recommendations
- Enable verbose access logging on the GLPI web server and forward logs to a centralized analytics platform for correlation
- Monitor the glpi_logs table and application audit trail for unusual document access patterns
- Track the running GLPI version against the fixed releases 10.0.21 and 11.0.3 to confirm patch deployment
- Configure alerts on the public FAQ endpoint to detect spikes in anonymous traffic
How to Mitigate CVE-2025-64516
Immediate Actions Required
- Upgrade GLPI to version 10.0.21 (10.x branch) or 11.0.3 (11.x branch) as published in the official release notes
- If immediate patching is not possible, disable the public FAQ feature to remove the anonymous exploitation path
- Restrict network access to the GLPI instance using firewall rules or a reverse proxy until the patch is applied
- Audit web server logs for prior unauthorized document access and rotate any credentials or sensitive data exposed through attached documents
Patch Information
The GLPI project released fixed builds in GLPI Release 10.0.21 and GLPI Release 11.0.3. The code changes are detailed in commit 51412a8 and commit ee7ee28. Full vulnerability context is published in GitHub Security Advisory GHSA-487h-7mxm-7r46.
Workarounds
- Disable the public FAQ in GLPI configuration to require authentication for all document access
- Place the GLPI application behind a Web Application Firewall (WAF) and block direct requests to document endpoints from unauthenticated sessions
- Restrict access to the GLPI instance to trusted internal networks or VPN clients until upgrade
# Example upgrade workflow on a Linux host
# 1. Back up the GLPI files and database
tar -czf glpi-backup-$(date +%F).tar.gz /var/www/html/glpi
mysqldump -u glpi -p glpi > glpi-db-$(date +%F).sql
# 2. Download the patched release
wget https://github.com/glpi-project/glpi/releases/download/10.0.21/glpi-10.0.21.tgz
# 3. Extract and replace the application files, then run the upgrade routine
tar -xzf glpi-10.0.21.tgz -C /var/www/html/
php /var/www/html/glpi/bin/console db:update
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
