CVE-2025-64516 is an improper access control vulnerability (CWE-284) found in the GLPI IT asset and service management software. GLPI versions from 10.0.0 up to but not including 10.0.21, and 11.0.0 up to but not including 11.0.3, are affected. The vulnerability allows unauthorized users to access documents attached to any GLPI item, such as tickets, assets, or other managed entities. If the public FAQ feature is enabled, this unauthorized access can be performed by completely anonymous users without authentication or user interaction, making exploitation trivial over the network. The vulnerability arises from insufficient access control checks on document retrieval endpoints, allowing attackers to bypass authorization mechanisms. The impact is primarily on confidentiality, as sensitive documents could be exposed to unauthorized parties. There is no impact on data integrity or system availability. The vulnerability was publicly disclosed on January 15, 2026, with a CVSS v3.1 base score of 7.5, indicating high severity due to network exploitability, no required privileges, and no user interaction. Although no known exploits are currently observed in the wild, the simplicity of exploitation and the sensitive nature of the data involved make this a significant risk. The issue is resolved in GLPI versions 10.0.21 and 11.0.3 by implementing proper access control checks on document access.

For European organizations, this vulnerability poses a significant risk of unauthorized disclosure of sensitive documents related to IT assets, tickets, and other managed items within GLPI. Such exposure could lead to leakage of confidential information, including internal incident reports, asset inventories, or sensitive operational data. This can undermine organizational security postures, facilitate further attacks, or cause compliance violations under GDPR and other data protection regulations. Since GLPI is widely used in public sector institutions, educational organizations, and private enterprises across Europe for IT service management, the scope of affected systems is broad. The vulnerability's ease of exploitation without authentication increases the risk of opportunistic attacks from external threat actors. Although no integrity or availability impacts are present, the confidentiality breach alone can have severe operational and reputational consequences. Organizations relying on GLPI for critical IT management functions should consider this a high priority threat.

European organizations should immediately verify their GLPI versions and upgrade to at least 10.0.21 or 11.0.3 to remediate the vulnerability. If immediate patching is not feasible, organizations should disable the public FAQ feature to prevent anonymous access to documents. Additionally, network-level access controls should be implemented to restrict access to GLPI management interfaces to trusted internal networks or VPNs. Monitoring and logging access to GLPI documents should be enhanced to detect any unauthorized attempts. Organizations should conduct audits of document permissions and review attached files for sensitive content that may have been exposed. Implementing Web Application Firewalls (WAFs) with rules to detect anomalous document access patterns can provide an additional layer of defense. Finally, raising user awareness about the importance of securing IT management tools and timely patching is critical to reduce exposure.