CVE-2026-44281 Overview
CVE-2026-44281 is a missing authorization vulnerability [CWE-862] in GLPI, an open-source IT asset and service management platform. The flaw affects GLPI versions starting at 0.78 and prior to 10.0.25 and 11.0.7. An authenticated user holding only the config READ permission can read a specific asset object that should require higher privileges. The vendor has released patched versions 10.0.25 and 11.0.7 to address the issue.
Critical Impact
Authenticated low-privilege users with config READ access can read sensitive asset object data, bypassing intended access controls in GLPI deployments.
Affected Products
- GLPI versions 0.78 through 10.0.24
- GLPI versions 11.0.0 through 11.0.6
- Deployments where users have been granted the config READ permission
Discovery Timeline
- 2026-06-03 - CVE-2026-44281 published to the National Vulnerability Database (NVD)
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-44281
Vulnerability Analysis
The vulnerability is a broken access control issue mapped to [CWE-862] Missing Authorization. GLPI fails to enforce the appropriate permission check when an authenticated user requests a specific asset object. The application accepts the config READ permission as sufficient to retrieve the object, even though asset reads are governed by a separate permission set. As a result, a user provisioned with only configuration read access can obtain asset data that should be restricted to users holding asset-specific entitlements.
The impact is limited to confidentiality and integrity of the affected asset object, with no required user interaction. Attackers must hold valid GLPI credentials to exploit the flaw, which constrains exposure to insiders or attackers who have already obtained low-privilege accounts.
Root Cause
The root cause is an authorization check that validates the wrong permission scope when serving the affected asset endpoint. The controller responsible for the asset object verifies that the caller has config READ rather than the asset-type read right defined by the GLPI rights model. Because config READ is commonly delegated to helpdesk supervisors and technicians, the effective audience for the bug is broader than the asset rights model intends.
Attack Vector
Exploitation requires network access to the GLPI web interface and an authenticated session with config READ. The attacker issues a standard authenticated HTTP request to the affected asset object endpoint. No special tooling, payload crafting, or user interaction is required. Refer to the GitHub Security Advisory GHSA-prjc-xwmh-rhxw for the vendor's technical description.
Detection Methods for CVE-2026-44281
Indicators of Compromise
- Authenticated GLPI HTTP requests to asset object endpoints from accounts that hold config READ but lack asset read rights
- Unusual volume of asset object retrievals from non-technician profiles in GLPI access logs
- Access patterns where the same low-privilege session enumerates multiple asset identifiers sequentially
Detection Strategies
- Review GLPI application logs for asset object access by user profiles that should not have asset read rights
- Correlate web server access logs with GLPI session profiles to identify authorization mismatches
- Audit profile assignments to identify accounts granted config READ and assess their legitimate need for that right
Monitoring Recommendations
- Forward GLPI application and web server logs to a centralized SIEM or data lake for query and retention
- Build alerts for repeated asset object access by accounts outside the helpdesk and IT asset teams
- Track GLPI version inventory across environments to confirm patched releases are deployed
How to Mitigate CVE-2026-44281
Immediate Actions Required
- Upgrade GLPI to version 11.0.7 or 10.0.25 as soon as possible
- Inventory all GLPI instances, including staging and legacy deployments, to confirm patch coverage
- Review which accounts currently hold the config READ right and remove the permission where it is not required
Patch Information
The GLPI maintainers released fixed versions 10.0.25 and 11.0.7. Both patches add the correct authorization check to the affected asset object endpoint. Administrators should follow the standard GLPI upgrade procedure, including database migration steps. Patch details are documented in the GitHub Security Advisory GHSA-prjc-xwmh-rhxw.
Workarounds
- Remove the config READ right from profiles that do not require GLPI configuration visibility
- Restrict network access to the GLPI web interface to trusted administrative networks where feasible
- Increase audit logging on GLPI to retain evidence of asset access while planning the upgrade
# Verify the running GLPI version after upgrade
php bin/console --version
# Expected: GLPI 10.0.25 or 11.0.7 (or later)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
