CVE-2026-13490 in glpi
Summary
by MITRE • 06/28/2026
A security vulnerability has been detected in glpi-project glpi 11.0.5/11.0.6/11.0.7. This affects the function Document::canViewFile of the file front/document.send.php of the component Document Handler. Such manipulation of the argument docid leads to authorization bypass. The attack can be executed remotely. This attack is characterized by high complexity. It is indicated that the exploitability is difficult. The vendor was contacted early about this disclosure.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/28/2026
The vulnerability identified in glpi-project glpi versions 11.0.5 through 11.0.7 represents a critical authorization bypass flaw within the Document Handler component, specifically affecting the Document::canViewFile function located in front/document.send.php. This security weakness stems from inadequate input validation and access control mechanisms that fail to properly verify user permissions before allowing file retrieval operations. The vulnerability manifests when an attacker manipulates the docid parameter, which serves as the primary identifier for document access requests within the application's file handling system.
The technical implementation of this flaw resides in the Document::canViewFile function's insufficient validation of the docid argument, which should normally enforce proper authorization checks before permitting file access. When an attacker crafts malicious requests with manipulated docid values, they can potentially bypass the intended access controls that would normally restrict file viewing to authorized users only. This allows unauthorized individuals to retrieve documents that should be protected or restricted based on user roles and permissions within the GLPI system.
The operational impact of this vulnerability extends beyond simple unauthorized data access, as it represents a fundamental breakdown in the application's security model that could enable attackers to obtain sensitive information stored within the document management system. The remote exploitation capability means that adversaries do not need physical access to the system or network proximity to exploit this weakness, making it particularly dangerous for organizations with public-facing GLPI installations. The high complexity and difficult exploitability rating suggest that while the attack requires significant technical skill and resources, successful exploitation could result in substantial data breaches.
This vulnerability aligns with CWE-284 (Improper Access Control) and represents a classic example of insufficient authorization checks within web applications. From an ATT&CK perspective, this weakness maps to T1078 (Valid Accounts) and T1566 (Phishing) as attackers could potentially leverage compromised credentials or social engineering to gain initial access before exploiting the authorization bypass. The vulnerability also relates to T1213 (Data from Information Repositories) as it enables unauthorized retrieval of stored documents and information assets.
Organizations should immediately implement mitigations including updating to patched versions of GLPI, implementing additional input validation layers, and strengthening access controls around document handling functions. Network segmentation and monitoring of document access patterns can help detect potential exploitation attempts. The vendor's early contact regarding this disclosure indicates responsible vulnerability management practices, but organizations must remain vigilant about patch management and security monitoring to protect against potential exploitation of this authorization bypass vulnerability.