CVE-2026-42320 Overview
CVE-2026-42320 is an authorization flaw in GLPI, an open-source asset and IT management software package. The vulnerability allows an authenticated technician to read arbitrary files inside the GLPI_DOC_DIR directory. The issue affects GLPI versions starting from 0.50 and prior to 10.0.25 and 11.0.7. The root cause is classified as [CWE-862] Missing Authorization. Upgrading to GLPI 10.0.25 or 11.0.7 resolves the vulnerability.
Critical Impact
An authenticated technician can read arbitrary files within GLPI_DOC_DIR, exposing documents, attachments, and other sensitive data managed by GLPI.
Affected Products
- GLPI versions 0.50 through 10.0.24
- GLPI 11.x versions prior to 11.0.7
- Self-hosted GLPI deployments using the default document directory
Discovery Timeline
- 2026-06-03 - CVE-2026-42320 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-42320
Vulnerability Analysis
The vulnerability resides in the GLPI document access logic that governs files stored under GLPI_DOC_DIR. GLPI exposes endpoints that serve files to users based on their assigned permissions. The vulnerable code path does not enforce sufficient authorization checks for technician accounts. As a result, a technician can request arbitrary files inside the document directory and retrieve their contents.
The scope is bounded to files within GLPI_DOC_DIR, which typically holds ticket attachments, knowledge base resources, inventory exports, and other operational documents. The flaw does not provide write access or code execution. Confidentiality is the primary security property impacted, while integrity and availability remain unaffected.
Root Cause
The root cause is a missing authorization check ([CWE-862]) on a file retrieval routine. The application validates that the caller is authenticated as a technician but fails to validate that the technician is entitled to access the specific requested document. This logic gap permits direct retrieval of files that should be restricted to other roles, owners, or entities.
Attack Vector
The attack is network-based and requires high privileges, specifically a valid technician account. No user interaction is needed. The attacker authenticates to GLPI, issues a crafted request that references a file path inside GLPI_DOC_DIR, and receives the file contents in the response. Exploitation complexity is increased by the need for valid technician credentials and knowledge of target file references.
No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See the GLPI GitHub Security Advisory GHSA-58j6-94cf-gcx5 for vendor technical details.
Detection Methods for CVE-2026-42320
Indicators of Compromise
- Unexpected file access requests from technician accounts referencing documents outside their assigned tickets or entities
- HTTP requests to GLPI document endpoints containing unusual file identifiers or path components
- Spikes in document download volume tied to a single technician session
Detection Strategies
- Review GLPI application and web server logs for document retrieval requests correlated with technician user IDs and compare against ticket or entity assignments
- Alert on technician accounts retrieving documents linked to entities or groups they do not belong to
- Inspect access patterns against GLPI_DOC_DIR paths at the web server tier for sequential or enumerated identifiers
Monitoring Recommendations
- Enable verbose GLPI audit logging for document and file access events
- Forward GLPI and web server logs to a centralized SIEM for correlation with identity and role data
- Baseline normal document access volume per technician role and alert on deviations
How to Mitigate CVE-2026-42320
Immediate Actions Required
- Upgrade GLPI to version 10.0.25 or 11.0.7 as soon as possible
- Audit technician account inventory and disable or restrict accounts that are no longer required
- Review historical document access logs for signs of unauthorized retrieval by technician accounts
Patch Information
The GLPI project addressed CVE-2026-42320 in versions 10.0.25 and 11.0.7. The fix introduces the missing authorization checks on document retrieval so that a technician can only access files they are entitled to view. Patch details are documented in the GLPI GitHub Security Advisory GHSA-58j6-94cf-gcx5.
Workarounds
- Restrict the number of accounts assigned the technician profile until patching is complete
- Place GLPI behind a reverse proxy or WAF and block requests that reference unexpected document identifiers
- Apply strict filesystem permissions on GLPI_DOC_DIR to limit exposure of sensitive documents
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
