CVE-2026-32312 glpi-project CVE debrief

Who should care

Organizations running GLPI 11.0.0 through 11.0.6, especially teams that use forms and delegate READ permissions to non-admin users. Security, ITSM, and platform administrators should treat this as a confidentiality and access-control review item.

Technical summary

The vulnerability is an authorization failure in GLPI’s forms export path. According to the advisory and NVD record, an authenticated user with forms READ permission could export the structure of unauthorized forms. NVD lists the weakness as CWE-862 (missing authorization). The impact appears limited to exposure of form structure rather than arbitrary code execution or service disruption, which aligns with the reported CVSS 5.1 medium severity.

Defensive priority

Medium. This is not an availability or code-execution issue, but it can expose internal form structure to users who should not see it, so patching and permission review should be scheduled promptly.

Recommended defensive actions

• Upgrade GLPI to version 11.0.7 or later.
• Review forms READ permissions and confirm they are granted only to intended roles and users.
• Audit for any workflows or integrations that rely on delegated forms access and tighten them where possible.
• Check logs or audit trails for unexpected form export activity by authenticated users with limited permissions.
• If immediate patching is not possible, reduce exposure by restricting access to forms features to the smallest necessary group.

Evidence notes

The CVE description states that versions 11.0.0 through 11.0.6 are affected and that the issue is fixed in 11.0.7. The NVD record marks the vulnerability as undergoing analysis and references the GLPI 11.0.7 release and the GitHub Security Advisory GHSA-cg63-qchq-q626. The NVD metadata also maps the issue to CWE-862.

Official resources