{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25937", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T16:22:17.786Z", "datePublished": "2026-03-17T23:16:38.069Z", "dateUpdated": "2026-03-19T03:55:19.142Z"}, "containers": {"cna": {"title": "GLPI has a MFA bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-2g3p-vwp2-7qxm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-2g3p-vwp2-7qxm"}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"version": ">= 11.0.0, < 11.0.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-17T23:16:38.069Z"}, "descriptions": [{"lang": "en", "value": "GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue."}], "source": {"advisory": "GHSA-2g3p-vwp2-7qxm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-25937"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T03:55:19.142Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25937", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-18T20:14:33.063175Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T20:14:36.403Z"}}], "cna": {"title": "GLPI has a MFA bypass", "source": {"advisory": "GHSA-2g3p-vwp2-7qxm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"status": "affected", "version": ">= 11.0.0, < 11.0.6"}]}], "references": [{"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-2g3p-vwp2-7qxm", "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-2g3p-vwp2-7qxm", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-17T23:16:38.069Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25937", "state": "PUBLISHED", "dateUpdated": "2026-03-19T03:55:19.142Z", "dateReserved": "2026-02-09T16:22:17.786Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-17T23:16:38.069Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:teclib-edition:glpi:*:*:*:*:*:*:*:*", "matchCriteriaId": "04DD49CA-3A87-4F7B-BCFC-8C6361C7E6FE", "versionEndExcluding": "11.0.6", "versionStartIncluding": "11.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue."}, {"lang": "es", "value": "GLPI es un paquete de software gratuito de gesti\u00f3n de activos y TI. A partir de la versi\u00f3n 11.0.0 y antes de la versi\u00f3n 11.0.6, un actor malicioso con conocimiento de las credenciales de un usuario puede eludir la MFA y robar su cuenta. La versi\u00f3n 11.0.6 corrige el problema."}], "id": "CVE-2026-25937", "lastModified": "2026-03-23T18:16:40.317", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T00:16:18.570", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-2g3p-vwp2-7qxm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.0.0,11.0.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "glpi", "source": "cna", "vendor": "glpi-project"}, "product": "glpi", "vendor": "glpi-project"}], "analysis": {"en": {"generated_at": "2026-03-23T19:53:55.011039+00:00", "value": {"mitigation_remediation": ["Upgrade GLPI to version 11.0.6 or later"], "summary": {"action": "Immediate Patch", "impact": "MFA bypass allowing account compromise"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the GLPI project, specifically versions 11.0.0 to 11.0.5 inclusive. All installations running those releases are at risk until upgraded to 11.0.6 or later.", "description_and_impact": "GLPI versions 11.0.0 through 11.0.5 contain an authentication flaw. An attacker who knows a user\u2019s login credentials can bypass the system\u2019s multi\u2011factor authentication and access the account as if they were the legitimate user. This flaw enables unauthorized use of the affected GLPI instance.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, requiring the attacker to possess valid user credentials \u2013 for example, through phishing or credential theft \u2013 and the flaw can be exploited without additional conditions. Based on the description, it is inferred that the attacker can perform this action remotely and gain the same privileges as the compromised account."}}}}, "created": "2026-03-18T10:42:35.613338+00:00", "updated": "2026-03-24T10:54:24.464203+00:00", "vendors": ["glpi-project", "glpi-project$PRODUCT$glpi"]}