How is CVE-2026-42317 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the GLPI web service from across the network. Authentication (required): A technician-level account (or higher) is required; any low-privilege user holding that role is sufficient to trigger the vulnerability. Victim interaction (not-required): No victim interaction is needed; the attacker can exploit the flaw directly without involving another user. Attack complexity (info): Attack complexity is low, meaning the exploit is straightforward and reliable with no race conditions or special environmental setup required.

What is the impact of CVE-2026-42317?

An attacker deletes arbitrary files on the server filesystem wherever the web server process holds write permissions. Deleting application or configuration files disrupts the GLPI service, making IT asset management unavailable to the organization. Deletion of log or audit files destroys forensic evidence, complicating incident response after an attack. Critical data files such as uploaded attachments or plugin assets can be permanently removed with no built-in recovery path.

Back to search

HIGHCVE-2026-42317Published 2026-06-03Modified 2026-06-03CNA GitHub_M

CVE-2026-42317: GLPI vulnerable to arbitrary files deletion by technician

GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, a technician can delete arbitrary files from the filesystem as long as the webserver has write rights on them. Upgrade to 10.0.25 or 11.0.7 to receive a patch.

CVSS v4.0: 7.0
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An arbitrary file deletion vulnerability affects GLPI, the open-source IT asset management platform, in all versions from 0.78 up to (but not including) 10.0.25 and 11.0.7. The flaw is reachable over the network and requires only a technician-level account, a low-privilege role common in GLPI deployments. Successful exploitation lets an attacker delete any file on the server filesystem that the web server process has write access to, causing data loss or service disruption. No fix versions have been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle GLPI. Any image running an affected version of glpi-project/glpi is flagged immediately.

Available

Triage

HarborGuard scores this issue at CVSS 7.0 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment versions 10.0.25 or 11.0.7 are released upstream. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once the fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the GLPI web service from across the network.
AuthenticationRequired
A technician-level account (or higher) is required; any low-privilege user holding that role is sufficient to trigger the vulnerability.
Victim interactionNot required
No victim interaction is needed; the attacker can exploit the flaw directly without involving another user.
Attack complexityDetail
Attack complexity is low, meaning the exploit is straightforward and reliable with no race conditions or special environmental setup required.

Blast Radius

An attacker deletes arbitrary files on the server filesystem wherever the web server process holds write permissions.
Deleting application or configuration files disrupts the GLPI service, making IT asset management unavailable to the organization.
Deletion of log or audit files destroys forensic evidence, complicating incident response after an attack.
Critical data files such as uploaded attachments or plugin assets can be permanently removed with no built-in recovery path.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored continuously across all customer environments scanning images that include GLPI. Because no upstream patch exists yet, HarborGuard re-evaluates the advisory on every ingest cycle. The moment versions 10.0.25 or 11.0.7 are published upstream, a patched-image rebuild will become available; for customers who have opted into auto-remediation, this triggers a full rebuild, automated regression run, and a PR opened against affected workloads without manual action. In the interim, compensating controls worth considering include network-policy rules that restrict GLPI access to known internal IP ranges, filesystem-level hardening to limit the web server process to only the directories it genuinely needs write access to, and review of which accounts hold the technician role to reduce the pool of potential abusers. HarborGuard will surface a patch notification in the affected image's detail view as soon as upstream publishes a fix.

See how HarborGuard automates this

Affected packages

glpi-project / glpi
>= 11.0.0, < 11.0.7 · >= 0.78, < 10.0.25

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

References

https://github.com/glpi-project/glpi/security/advisories/GHSA-jf72-cvjh-px5w

Metrics

Get notified