Authorization Bypass Vulnerability in GLPI Document Handler by GLPI-Project
CVE-2026-13490

6.3MEDIUM

Key Information:

Vendor

GLPI Project
Status
Glpi
Vendor
CVE Published:
28 June 2026

What is CVE-2026-13490?

A vulnerability has been identified in the GLPI Document Handler that affects versions 11.0.5 to 11.0.7. This issue resides in the 'canViewFile' function of 'front/document.send.php', allowing attackers to bypass authorization measures by manipulating the 'docid' argument. The attack can be executed remotely, presenting a complex threat due to the specific conditions required for exploitation. Early communication with the vendor has already taken place regarding this matter.

Affected Version(s)

glpi 11.0.5

glpi 11.0.6

glpi 11.0.7

References

https://vuldb.com/vuln/374487
vdb-entrytechnical-description
https://vuldb.com/vuln/374487/cti
signaturepermissions-required
https://vuldb.com/cve/CVE-2026-13490
third-party-advisory

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

rafaelczanett (VulDB User)
VulDB CNA Team
.