Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-13490

CVE-2026-13490: GLPI Authorization Bypass Vulnerability

CVE-2026-13490 is an authorization bypass flaw in GLPI project versions 11.0.5-11.0.7 affecting document access controls. This post covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2026-13490 Overview

CVE-2026-13490 is an authorization bypass vulnerability in the GLPI IT asset management platform, affecting versions 11.0.5, 11.0.6, and 11.0.7. The flaw resides in the Document::canViewFile function within front/document.send.php, a component of the Document Handler. Attackers can manipulate the docid argument to bypass access controls and retrieve documents they should not be authorized to view. The vulnerability is remotely exploitable without authentication or user interaction, though exploitation requires high attack complexity. The weakness is classified under [CWE-285] (Improper Authorization).

Critical Impact

Remote attackers can bypass authorization checks in the Document Handler to access confidential documents stored in affected GLPI instances.

Affected Products

  • GLPI 11.0.5
  • GLPI 11.0.6
  • GLPI 11.0.7

Discovery Timeline

  • 2026-06-28 - CVE-2026-13490 published to NVD
  • 2026-06-30 - Last updated in NVD database

Technical Details for CVE-2026-13490

Vulnerability Analysis

The vulnerability affects the Document Handler component of GLPI, an open-source IT service management (ITSM) platform. The Document::canViewFile function in front/document.send.php is responsible for verifying whether a requesting user has permission to view a specific document referenced by the docid parameter. Improper handling of this parameter allows an attacker to circumvent the authorization logic and access documents outside of their permission scope.

Because the flaw exists in the pre-download authorization check, successful exploitation directly exposes stored file content. This can include tickets, attachments, contracts, and other sensitive artifacts commonly stored in GLPI instances used for helpdesk and asset management.

Root Cause

The root cause is improper authorization ([CWE-285]) within the Document::canViewFile method. The function fails to correctly validate the relationship between the authenticated context and the requested docid, allowing manipulation of that argument to bypass access enforcement. The condition is difficult to reach reliably, which accounts for the high attack complexity rating.

Attack Vector

An attacker sends a crafted HTTP request to front/document.send.php with a manipulated docid parameter. The request targets a document identifier the attacker is not authorized to access. When the flawed authorization check evaluates the manipulated input, it returns a permissive result and serves the file to the attacker. No authentication or user interaction is required to attempt the attack, though specific conditions must align for successful exploitation.

No verified public proof-of-concept code is available. Refer to the VulDB advisory for CVE-2026-13490 for additional technical detail.

Detection Methods for CVE-2026-13490

Indicators of Compromise

  • Unexpected HTTP GET requests to front/document.send.php with sequential or fuzzed docid values from a single source IP.
  • Web server access logs showing successful 200 OK responses to document.send.php requests originating from unauthenticated or low-privileged sessions.
  • Anomalous spikes in outbound bandwidth from the GLPI server tied to document downloads.

Detection Strategies

  • Correlate GLPI application logs with web access logs to identify document downloads that lack a corresponding authorized session context.
  • Deploy web application firewall (WAF) rules that flag enumeration patterns against the docid parameter on document.send.php.
  • Baseline normal document access patterns per user role and alert on deviations, particularly bulk retrieval of unrelated docid values.

Monitoring Recommendations

  • Monitor authentication state at the reverse proxy or WAF layer for any request reaching document.send.php without a valid GLPI session cookie.
  • Enable verbose audit logging in GLPI to capture the requesting user identifier alongside each document access.
  • Forward GLPI and web server logs to a centralized analytics platform for retention and correlation with identity events.

How to Mitigate CVE-2026-13490

Immediate Actions Required

  • Inventory all GLPI instances and identify hosts running versions 11.0.5, 11.0.6, or 11.0.7.
  • Restrict external network exposure of GLPI web interfaces to trusted networks or VPN users until a patch is applied.
  • Review recent access logs for front/document.send.php to identify any suspicious docid enumeration activity.

Patch Information

No fixed version is referenced in the published advisory data at the time of writing. Monitor the GLPI project releases and the VulDB entry for CVE-2026-13490 for the availability of a patched build, and upgrade as soon as a corrected release is published.

Workarounds

  • Place GLPI behind an authenticating reverse proxy that enforces session validation before requests reach document.send.php.
  • Configure a WAF rule to block or challenge unauthenticated requests to front/document.send.php and rate-limit requests carrying the docid parameter.
  • Reduce the blast radius by moving highly sensitive attachments out of GLPI storage until the vulnerability is remediated.
bash
# Example nginx rule to require an authenticated session cookie
# before allowing access to the vulnerable endpoint
location = /front/document.send.php {
    if ($cookie_glpi_session = "") {
        return 401;
    }
    limit_req zone=glpi_docs burst=5 nodelay;
    proxy_pass http://glpi_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.