CVE-2026-42318 in glpi
Summary
by MITRE • 06/03/2026
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 10.0.25 and 11.0.7, low privilege users with access to planning can delete any object in GLPI. Upgrade to 11.0.7 or 10.0.25 to receive a patch. As a workaround, disable delete rights for User's planning.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/04/2026
This vulnerability represents a critical authorization flaw in GLPI that allows low privilege users to escalate their privileges through unauthorized object deletion capabilities. The issue stems from insufficient access control validation within the planning module, where users with merely planning access can execute deletion operations across the entire GLPI system. This represents a classic privilege escalation vulnerability that violates the principle of least privilege and demonstrates poor input validation and access control implementation. The vulnerability affects versions 9.5.0 through 10.0.24 and 11.0.6 and earlier, creating a window of exposure where malicious actors could exploit this weakness to disrupt system operations and potentially compromise data integrity.
The technical flaw manifests as a lack of proper authorization checks when processing delete requests within the planning interface. When users access the planning module, the system fails to validate whether the requesting user has appropriate permissions to delete the specific objects they are attempting to remove. This oversight creates a path for unauthorized deletion of critical system components including assets, tickets, users, and configuration data. The vulnerability can be classified under CWE-284 (Improper Access Control) and aligns with ATT&CK technique T1485 (Data Destruction) and T1078 (Valid Accounts) as it leverages existing user access to perform destructive actions. The flaw essentially allows a user with minimal privileges to bypass normal access controls and execute operations typically restricted to administrators or privileged users.
The operational impact of this vulnerability extends beyond simple data loss, as it can severely disrupt IT asset management processes and compromise system availability. Low privilege users could delete critical assets, configuration items, or user accounts, leading to complete operational paralysis of the GLPI system. The potential for cascading failures exists when users delete core objects that other system components depend upon, creating a domino effect of system instability. Organizations relying on GLPI for IT asset management, helpdesk operations, and inventory tracking face significant risks including service disruption, compliance violations, and potential data breaches. The vulnerability particularly affects environments where multiple users have access to planning features but should not possess deletion capabilities across the entire system.
Organizations should immediately implement the recommended patches to versions 10.0.25 or 11.0.7 to address this vulnerability, as these releases contain proper access control validation for planning-related deletion operations. In environments where patching cannot be immediately implemented, administrators should disable delete rights for user planning access through the permission management interface. This workaround effectively mitigates the risk by ensuring that even users with planning access cannot perform deletion operations. The solution aligns with the principle of defense in depth, where multiple layers of security controls are implemented to protect against various attack vectors. Additionally, organizations should conduct thorough access control reviews to ensure that user permissions align with their actual operational requirements and implement monitoring to detect unauthorized deletion activities. Security teams should also consider implementing automated alerting for deletion operations and conducting regular audits of user permissions to prevent similar vulnerabilities from emerging in other system components.