CVE-2026-13490 glpi-project CVE debrief

Who should care

Security teams responsible for glpi-project glpi installations, particularly those using versions 11.0.5, 11.0.6, and 11.0.7, should be aware of this vulnerability. Given the MEDIUM CVSS score of 6.3, organizations should prioritize patching to prevent potential authorization bypass attacks. This vulnerability's high complexity and difficult exploitability may temporarily reduce immediate risk, but defenders should remain vigilant.

Technical summary

CVE-2026-13490 is a MEDIUM-severity vulnerability (CVSS score 6.3) affecting glpi-project glpi versions 11.0.5, 11.0.6, and 11.0.7. It is an authorization bypass vulnerability in the Document Handler component, specifically in the `Document::canViewFile` function of `front/document.send.php`. The vulnerability allows for remote exploitation but has high complexity and is difficult to exploit. The Common Weakness Enumeration (CWE) for this vulnerability includes CWE-285 and CWE-639.

Defensive priority

Apply patches for glpi-project glpi versions 11.0.5, 11.0.6, and 11.0.7 immediately. Given the remote exploitation and MEDIUM severity, prioritize patching to prevent potential authorization bypass attacks.

Recommended defensive actions

• Apply patches for glpi-project glpi versions 11.0.5, 11.0.6, and 11.0.7
• Review and update access controls for the Document Handler component
• Monitor for suspicious activity related to document access
• Verify and enforce proper authorization for document viewing
• Consider implementing compensating controls for sensitive documents

Evidence notes

The CVE-2026-13490 entry was obtained from the National Vulnerability Database (NVD) and has a single source reference from Vuldb. The CVE was published and modified on 2026-06-28T12:17:03.350Z. The CVSS score is 6.3, indicating a MEDIUM severity vulnerability. The vulnerability affects glpi-project glpi versions 11.0.5, 11.0.6, and 11.0.7.

Official resources