CVE Catalog

CVE-2026-13490

LowCVSS 3.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.31%

23th percentile — higher than 23% of all known CVEs

Summary

A security vulnerability has been detected in GLPI versions 11.0.5, 11.0.6, and 11.0.7 in the Document Handler component. The function Document::canViewFile in front/document.send.php improperly validates the docid argument, leading to authorization bypass. The attack can be executed remotely but is difficult to exploit due to high complexity.

Risk Assessment

Authorization bypass could allow an unauthorized attacker to access sensitive documents stored in GLPI, posing a risk of data leakage.

Recommendation

It is recommended to immediately apply patches provided by the GLPI vendor for versions 11.0.5, 11.0.6, and 11.0.7. Until the update, restrict access to the front/document.send.php file and monitor logs for suspicious requests.

Original NVD description (English source)

A security vulnerability has been detected in glpi-project glpi 11.0.5/11.0.6/11.0.7. This affects the function Document::canViewFile of the file front/document.send.php of the component Document Handler. Such manipulation of the argument docid leads to authorization bypass. The attack can be executed remotely. This attack is characterized by high complexity. It is indicated that the exploitability is difficult. The vendor was contacted early about this disclosure.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS