CVE-2026-25937 in glpi
Summary
by MITRE • 03/18/2026
GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified as CVE-2026-25937 affects GLPI, a widely-used open-source asset and IT management software package that serves organizations globally for maintaining inventory and tracking IT resources. This security flaw exists in versions 11.0.0 through 11.0.5, creating a critical authentication weakness that undermines the software's security posture. The vulnerability specifically targets the multi-factor authentication implementation within the platform, representing a significant regression in the software's security controls that was introduced in the 11.0.0 release.
The technical flaw manifests as an authentication bypass mechanism that allows malicious actors to circumvent multi-factor authentication requirements when they possess valid user credentials. This represents a fundamental failure in the authentication flow where the system fails to properly validate the additional security factor required for account access. The vulnerability creates a scenario where an attacker who has obtained legitimate user credentials can gain unauthorized access to accounts without completing the required multi-factor authentication process, effectively neutralizing the additional security layer that should protect user sessions.
From an operational impact perspective, this vulnerability exposes organizations using GLPI to significant risk of unauthorized access and potential data breaches. The compromise of user accounts can lead to unauthorized access to sensitive asset information, IT inventory data, and potentially administrative functions within the GLPI environment. This vulnerability particularly affects organizations that rely on GLPI for managing critical IT assets and infrastructure, as successful exploitation could result in complete account takeover and unauthorized modifications to asset records, user permissions, and system configurations. The impact extends beyond individual account compromise to potential organizational-wide security implications.
The vulnerability aligns with CWE-305 authentication bypass weakness and represents a failure in implementing proper multi-factor authentication controls as outlined in security best practices. Organizations should immediately upgrade to GLPI version 11.0.6 or later to remediate this vulnerability, as this update addresses the authentication bypass issue through proper validation of multi-factor authentication requirements. Security teams should also implement additional monitoring for suspicious authentication patterns and consider temporary account lockout policies for users who may have been compromised. The fix demonstrates the importance of thorough security testing during software releases and highlights the critical need for maintaining up-to-date security patches in enterprise environments. This vulnerability serves as a reminder of the essential role multi-factor authentication plays in protecting user accounts and the potential consequences when authentication mechanisms are inadequately implemented or tested.