CVE-2026-42318: GLPI Vulnerable to Arbitrary Item Deletion via Planning Endpoint
GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 10.0.25 and 11.0.7, low privilege users with access to planning can delete any object in GLPI. Upgrade to 11.0.7 or 10.0.25 to receive a patch. As a workaround, disable delete rights for User's planning.
Metrics
- CVSS v4.0
- 7.0
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An authorization bypass in GLPI (the open-source IT asset management platform) allows any authenticated user with access to the planning feature to delete arbitrary objects throughout the application. The vulnerability is reachable over the network and requires only a low-privilege account, meaning no admin credentials are needed. Successful exploitation lets an attacker permanently delete any item in GLPI, causing data loss and potential service disruption. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment fix versions are published upstream.
HarborGuard Coverage
Detection of CVE-2026-42318 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images derived from affected GLPI versions.
AvailableHarborGuard scores this finding at CVSS 7.0 (High) and weights it against each environment's compliance policy to prioritize routing. The resulting alert is directed to the appropriate team inbox within the customer org based on image ownership and policy configuration.
AvailableBecause no upstream fix versions have been published yet, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and a PR against affected workloads will be queued immediately upon upstream patch publication.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the GLPI planning endpoint over the network; the service must be exposed to the attacker's network.
- AuthenticationRequired
Any low-privilege GLPI account with access to the planning feature is sufficient; no admin or elevated credentials are needed.
- Victim interactionNot required
The attacker can trigger the deletion directly without any action from another user.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental factors are required to succeed.
Blast Radius
- Attacker permanently deletes any object in the GLPI database, including assets, tickets, user records, and configuration items.
- Bulk deletion of critical IT asset records causes loss of inventory, audit trails, and incident history.
- Removal of configuration or user objects disrupts ongoing IT operations and may render managed services unresponsive.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-42318 is active across all scanned environments, matching container images built on affected GLPI versions (9.5.0 through 10.0.24 and 11.0.0 through 11.0.6). Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle. The moment GLPI publishes fix versions 10.0.25 or 11.0.7, a patched-image rebuild becomes available automatically; for customers with auto-remediation enabled, this triggers a rebuild, regression-test run, and a PR opened against affected workloads. In the interim, the GLPI project recommends disabling delete rights on user planning as a compensating control. Customers can also apply network-policy isolation to restrict access to the GLPI planning endpoint to known trusted sources, reducing the pool of accounts that can reach the vulnerable path.
- glpi-project / glpi>= 11.0.0, < 11.0.7 · >= 9.5.0, < 10.0.25
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N