CVE-2026-42317 in glpi
Summary
by MITRE • 06/03/2026
GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, a technician can delete arbitrary files from the filesystem as long as the webserver has write rights on them. Upgrade to 10.0.25 or 11.0.7 to receive a patch.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/05/2026
This vulnerability exists within the GLPI asset and IT management software where a security flaw allows authenticated technicians to perform arbitrary file deletion operations on the underlying filesystem. The vulnerability affects versions 0.78 through 10.0.24 and 11.0.6, creating a critical path for privilege escalation and system compromise. The technical implementation flaw stems from insufficient input validation and access control mechanisms within the file management functions, specifically when processing user-supplied file paths or identifiers. When a technician performs certain administrative operations, the application fails to properly sanitize or validate the file paths, allowing malicious input to traverse the filesystem and delete files that the web server process has write permissions on. This represents a classic path traversal vulnerability that aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal attacks. The operational impact of this vulnerability extends beyond simple file deletion, as it provides attackers with the ability to remove critical system files, configuration data, or application components that could lead to complete system compromise or denial of service conditions.
The vulnerability creates a significant attack surface for threat actors who can leverage the technician role to execute destructive operations against the target system. The flaw is particularly dangerous because it operates at the filesystem level rather than the application level, meaning that attackers can potentially remove any file that the web server process can access, including system binaries, configuration files, or database files. This vulnerability directly maps to ATT&CK technique T1078.004 which covers legitimate credentials, specifically focusing on the abuse of administrative privileges to gain access to restricted resources. The attack chain typically begins with gaining access to a technician account, which is often less restricted than administrative accounts, and then exploiting this flaw to escalate privileges or cause system disruption. The web server write permissions create a dangerous condition where any file within the application's directory structure or accessible paths can be targeted, potentially including log files, backup files, or even application libraries that could lead to application instability or complete compromise.
Organizations using affected GLPI versions face a critical risk of data loss, system instability, and potential complete system compromise. The vulnerability can be exploited by attackers who have gained access to technician accounts through various means including credential theft, social engineering, or exploitation of other vulnerabilities. The patch provided in versions 10.0.25 and 11.0.7 addresses the core issue by implementing proper input validation and access control measures that prevent unauthorized file path traversal operations. System administrators should immediately upgrade to the patched versions to mitigate this risk, while also implementing additional security controls such as principle of least privilege for web server processes, regular file integrity monitoring, and enhanced access controls for technician accounts. The vulnerability demonstrates the importance of proper input validation and access control in web applications, as well as the need for regular security updates and vulnerability assessments. Organizations should also consider implementing web application firewalls and intrusion detection systems to monitor for exploitation attempts of this type of vulnerability. The security implications extend to compliance requirements where unauthorized file deletion could constitute a violation of data protection regulations and information security standards.