CVE-2026-32312 Overview
CVE-2026-32312 is a missing authorization vulnerability [CWE-862] affecting GLPI, a free, open-source asset and IT service management platform. The flaw exists in GLPI versions 11.0.0 through 11.0.6. An authenticated user holding only the forms READ permission can export the structure of forms they are not authorized to view. The GLPI project addressed the issue in version 11.0.7.
Critical Impact
Authenticated low-privilege users can disclose the structure of restricted forms, exposing field definitions, validation logic, and internal workflow design that should be limited to authorized roles.
Affected Products
- GLPI 11.0.0 through 11.0.6
- GLPI Forms module (export functionality)
- Fixed in GLPI 11.0.7
Discovery Timeline
- 2026-05-19 - CVE-2026-32312 published to NVD
- 2026-05-19 - Last updated in NVD database
- Patch available - Fix released in GLPI 11.0.7 via GitHub Release 11.0.7
- Advisory published - See GitHub Security Advisory GHSA-cg63-qchq-q626
Technical Details for CVE-2026-32312
Vulnerability Analysis
The vulnerability is classified under [CWE-862] Missing Authorization. GLPI exposes a form export feature that returns the structural definition of a form, including sections, questions, field types, and configured logic. The export endpoint validates that the calling user possesses the generic forms READ permission. It does not perform a secondary check confirming the user has authorization to read the specific target form. As a result, any authenticated account with the forms READ right can request and receive the structure of forms restricted to other roles, entities, or profiles.
The disclosed information is structural rather than transactional. It does not include submitted answers or response data. However, exposed form structures may reveal internal business logic, naming conventions, validation rules, conditional branching, and references to internal systems. This information is useful for reconnaissance prior to targeted social engineering or follow-on attacks against the GLPI instance.
Root Cause
The export handler relies on a coarse-grained permission check tied to the forms module rather than evaluating per-object access control. GLPI normally scopes form visibility by entity, profile, and recipient configuration. The export path bypasses these object-level checks and trusts the module-level capability alone.
Attack Vector
Exploitation requires an authenticated session with high privileges relative to anonymous access, but only the standard forms READ capability that many user profiles legitimately hold. The attacker invokes the form export functionality and supplies the identifier of a form they should not be able to view. The server returns the form structure without enforcing per-form authorization. No user interaction from the victim is required, and the attack is performed over the network against the GLPI web interface.
No public proof-of-concept exploit is currently listed, and the issue is not present in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-32312
Indicators of Compromise
- Web access log entries showing repeated requests to GLPI form export endpoints from a single authenticated session targeting multiple distinct form identifiers.
- Successful HTTP 200 responses returning form structure payloads to accounts that historically only interact with a narrow subset of forms.
- Unusual enumeration patterns iterating sequential form IDs in short time windows.
Detection Strategies
- Review GLPI application logs for export actions and correlate the requesting user profile against the form's configured access scope.
- Alert on authenticated users accessing form structures outside their assigned entity or profile.
- Baseline normal export volume per user and flag deviations consistent with bulk enumeration.
Monitoring Recommendations
- Forward GLPI web server and application logs to a centralized logging or SIEM platform with retention sufficient for retrospective analysis.
- Track which GLPI version is deployed across environments and flag any instance running 11.0.0 through 11.0.6.
- Monitor for new authentication sessions from accounts with the forms READ permission and correlate with export activity.
How to Mitigate CVE-2026-32312
Immediate Actions Required
- Upgrade GLPI to version 11.0.7 or later, which enforces per-form authorization on the export path.
- Audit user profiles to confirm the forms READ permission is granted only to roles that require it.
- Review historical export activity in application logs for evidence of unauthorized structure disclosure prior to patching.
Patch Information
The issue is resolved in GLPI 11.0.7. Download the patched release from GitHub Release 11.0.7. Technical context is provided in GitHub Security Advisory GHSA-cg63-qchq-q626.
Workarounds
- If immediate upgrade is not feasible, restrict the forms READ permission to trusted profiles only.
- Limit network access to the GLPI web interface to authenticated internal users through VPN or IP allowlisting.
- Increase logging verbosity on the forms module to capture export attempts for review until the patched version is deployed.
# Verify the installed GLPI version against the fixed release
grep -R "GLPI_VERSION" /var/www/glpi/inc/define.php
# Expected after upgrade: define('GLPI_VERSION', '11.0.7');
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
