www.it-connect.fr
GLPI 11.0.8 and 10.0.26 Patch 16 Flaws, Including 2 Critical Vulnerabilities
On Wednesday, June 24, 2026, GLPI received two security patches with the release of versions 11.0.8 and 10.0.26. The update addresses two critical flaws in version 11, including one RCE, along with 9 vulnerabilities shared by both versions. Here’s what you need to know.
GLPI is an open-source asset management and service desk solution maintained by the French vendor Teclib'. Support tickets, inventory, licenses, contracts: because of its feature set, this tool concentrates sensitive information. In other words, an exposed and vulnerable GLPI server is a prime target, which is why these patches should not be left sitting around.
Both versions are available now in the project’s GitHub repository. As the vendor reminds us, "This is a security release, upgrade is recommended." - Let’s take a closer look at what that actually means.
Table of Contents
Two Critical Flaws and Five Other Issues Specific to GLPI 11
If you are using GLPI 11, you need to install version 11.0.8. It fixes 16 vulnerabilities in total, including 7 that are specific to it. And two of them are rated critical:
- CVE-2026-48482 (critical): remote code execution (RCE) via form import
- CVE-2026-52848 (critical): multi-factor authentication (MFA) bypass
- CVE-2026-49470 (important): account takeover via brute-force attack on the second factor (2FA)
- CVE-2026-53610 (important): reflected XSS in dashboards
- CVE-2026-53626 (important): arbitrary document read
- CVE-2026-55214 (important): stored XSS affecting vendors
- CVE-2026-53627 (moderate): unexpected access to update operations via the API
Why do these flaws affect only GLPI 11? Quite simply because they target features introduced with this major release. The critical RCE, for example, affects form import: native forms are a new feature in GLPI 11, whereas GLPI 10 relied on the FormCreator plugin.
Two of the vulnerabilities specific to GLPI 11 target its strengthened authentication mechanisms. MFA, presented as one of the main new features of GLPI 11, is vulnerable to bypass and to account takeover via brute force against 2FA.
The other nine flaws affect both branches, namely GLPI 10 and GLPI 11. This is exactly what version 10.0.26 fixes, as it does not include any vulnerabilities specific to itself: upgrading it patches all of these shared issues.
Four of them are rated important:
- CVE-2026-47678: SQL injection in drop-down lists
- CVE-2026-47679: arbitrary file deletion
- CVE-2026-53625: privilege escalation via
authtypemanipulation in the API - CVE-2026-53629: SQL injection in the history tab
The last five are considered moderate:
- CVE-2026-45801: unauthorized enabling of debug mode
- CVE-2026-49469: LDAP filter injection in the user import function
- CVE-2026-53628: unauthorized change of the authentication method by an administrator
- CVE-2026-55217: unauthorized modification of knowledge base comments and translations
- CVE-2026-57152: unauthorized sending of notifications
In total, that brings the count to 16 fixed flaws in GLPI 11.0.8 (7 specific + 9 shared) and 9 in GLPI 10.0.26 (the 9 shared ones).
Update Without Delay
Back in April, it was GLPI 11.0.7 and 10.0.25 that patched around ten vulnerabilities. This time, the total climbs a bit higher, with two critical flaws on the GLPI 11 branch. Beyond the security fixes, both releases also include their share of bug fixes and minor improvements, detailed in the changelogs published on GitHub.
If you administer a GLPI instance, installing these updates is recommended. If needed, our step-by-step tutorial to update GLPI will walk you through the process. And to go further, you can also audit the security of your GLPI server using the open-source glpwnme tool to verify your instance’s real-world exposure.
- Release notes: GLPI 11.0.8 & GLPI 10.0.26
