How is CVE-2026-44281 exploited?

Network reachability (required): The attacker must reach the GLPI service over the network; local or physical access is not required. Authentication (required): A high-privilege account (specifically one holding config READ permission) is needed to trigger the vulnerability. Victim interaction (not-required): No action from another user or victim is needed; the attacker can exploit this independently. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or special environmental conditions.

What is the impact of CVE-2026-44281?

An attacker reads a specific asset object that their account should not have access to, potentially exposing sensitive IT inventory details. An attacker modifies persisted asset data, corrupting IT inventory records or altering configuration objects. An attacker disrupts availability of asset data, causing service degradation or loss of access to affected IT management records.

Back to search

HIGHCVE-2026-44281Published 2026-06-03Modified 2026-06-03CNA GitHub_M

CVE-2026-44281: GLPI vulnerable to unauthorized reading of a specific asset object

Q: Is CVE-2026-44281 patched?

Because no upstream fix versions have been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment upstream ships a fix for the affected GLPI releases. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, an authenticated user with config READ permission can read a specific asset object. Upgrade to 11.0.7 or 10.0.25 to receive a patch.

CVSS v4.0: 7.0
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authorization bypass vulnerability in GLPI (an open-source IT asset management platform) allows an authenticated user with only config READ permission to read a specific asset object they should not have access to. The vulnerability is reachable over the network and requires a high-privilege account, based on the CVSS vector. Successful exploitation allows an attacker to tamper with or disrupt asset data, as indicated by the high integrity and availability impact scores. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream fix versions are published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that package GLPI. Any image running a GLPI version in the affected ranges (>= 0.78, < 10.0.25 or >= 11.0.0, < 11.0.7) is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this finding at 7.0 HIGH using the CVSS v4.0 vector and weighting it further against each customer environment's compliance policy. Triage routing is available to direct the finding to the appropriate team inbox within each customer organization based on asset ownership and policy configuration.

Available

Patch

Because no upstream fix versions have been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment upstream ships a fix for the affected GLPI releases. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the GLPI service over the network; local or physical access is not required.
AuthenticationRequired
A high-privilege account (specifically one holding config READ permission) is needed to trigger the vulnerability.
Victim interactionNot required
No action from another user or victim is needed; the attacker can exploit this independently.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or special environmental conditions.

Blast Radius

An attacker reads a specific asset object that their account should not have access to, potentially exposing sensitive IT inventory details.
An attacker modifies persisted asset data, corrupting IT inventory records or altering configuration objects.
An attacker disrupts availability of asset data, causing service degradation or loss of access to affected IT management records.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists yet for CVE-2026-44281, HarborGuard continuously re-checks the advisory on each ingest cycle across all customer environments. When GLPI ships a fix (expected at versions 10.0.25 and 11.0.7 based on the advisory), a patched-image rebuild will become available immediately. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be opened automatically at that point. In the interim, compensating controls available through HarborGuard include network-policy isolation to restrict inbound access to GLPI instances and egress filtering to limit lateral movement from a compromised host. Customers can also use HarborGuard's policy engine to flag any image in the affected version ranges for manual review and hold promotion to production.

See how HarborGuard automates this

Affected packages

glpi-project / glpi
>= 11.0.0, < 11.0.7 · >= 0.78, < 10.0.25

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

References

https://github.com/glpi-project/glpi/security/advisories/GHSA-prjc-xwmh-rhxw

Metrics

Get notified