CVE-2026-13490 | A security vulnerability has been detected in glpi-project g… | CVSS 3.7 LOW

Description

A security vulnerability has been detected in glpi-project glpi 11.0.5/11.0.6/11.0.7. This affects the function Document::canViewFile of the file front/document.send.php of the component Document Handler. Such manipulation of the argument docid leads to authorization bypass. The attack can be executed remotely. This attack is characterized by high complexity. It is indicated that the exploitability is difficult. The vendor was contacted early about this disclosure.

Metadata

CVE ID: CVE-2026-13490
State: PUBLISHED
Assigner: VulDB
Reserved: 2026-06-27 15:57 UTC
Published: 2026-06-28 11:00 UTC
Last updated: 2026-06-28 11:00 UTC
Primary CWE: CWE-639
Authorization Bypass
Vendor / Product: glpi-project / glpi
Sources: cve.org · NVD

Severity & Metrics

3.7 LOW CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:R

Affected products (1)

Vendor	Product	Platform	Versions
glpi-project	glpi	—	11.0.5, 11.0.6, 11.0.7

Weakness (CWE)

CWE	Source	Description
CWE-285	cna	Improper Authorization
CWE-639	cna	Authorization Bypass

CVSS scores (4)

Score	Severity	Version	Source	Vector
6.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X
3.7	LOW	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:R
3.7	LOW	3.0	cna	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:R
2.6	N/D	2.0	cna	AV:N/AC:H/Au:N/C:P/I:N/A:N/E:ND/RL:ND/RC:UR

References (4)

VDB-374487 | glpi-project glpi Document document.send.php canViewFile authorization https://vuldb.com/vuln/374487
VDB-374487 | CTI Indicators (IOB, IOC, IOA) https://vuldb.com/vuln/374487/cti
CVE-2026-13490 | CVE Analysis and Report https://vuldb.com/cve/CVE-2026-13490
Submit #838225 | glpi-project glpi 11.0.5 - 11.0.7 Authorization Bypass https://vuldb.com/submit/838225