CVE-2026-32312 MEDIUM

CVE-2026-32312: GLPI: Unauthorized export of form structure

Vendor Glpi-Project

Product glpi

Weakness CWE-862 · Missing authorization

Published May 18, 2026

Last update May 19, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, an authenticated user with forms READ permission can export the structure of unauthorized forms. This issue has been fixed in version 11.0.7.

Key dates

02Disclosure timeline

May 18, 2026 CVE published

May 19, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-32312

Related vulnerabilities

04Related CVE

CVE-2025-69358 WordPress EventPrime plugin <= 4.2.6.0 - Broken Access Control vulnerability CVE-2023-25454 WordPress Protected Posts Logout Button plugin <= 1.4.5 - Broken Access Control vulnerability CVE-2024-5126 Improper Access Control in lunary-ai/lunary CVE-2025-68479 Discourse subscriptions are susceptible to takeover CVE-2024-13703 CRM and Lead Management by vcita <= 2.7.5 - Missing Authorization to Authenticated (Susbcriber+) Widget Toggle