CVE-2025-64520: CWE-862: Missing Authorization in glpi-project glpi
GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch.
AI Analysis
Technical Summary
CVE-2025-64520 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the GLPI IT asset and service management software. Specifically, versions starting from 9.1.0 up to 10.0.20 inclusive lack proper authorization checks on API endpoints that serve knowledge base entries. An attacker with API access but without proper privileges can exploit this flaw to read all knowledge base content, which may include sensitive operational procedures, troubleshooting guides, or internal documentation. The vulnerability does not allow modification or deletion of data, nor does it impact system availability. The CVSS v3.1 base score is 6.5, reflecting a medium severity due to high confidentiality impact but no integrity or availability impact, and requiring low privileges but no user interaction. The vulnerability was publicly disclosed on December 16, 2025, with no known exploits in the wild at the time of publication. The recommended remediation is to upgrade to GLPI version 10.0.21, where the authorization checks have been properly implemented to restrict knowledge base access to authorized users only.
Potential Impact
For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive internal knowledge base information, which could aid attackers in reconnaissance or social engineering attacks. The confidentiality breach could expose operational procedures, security policies, or incident response guidelines, potentially weakening organizational security posture. While the vulnerability does not allow data modification or service disruption, the leakage of sensitive information can have downstream effects, including compliance violations under GDPR if personal data or security controls are indirectly exposed. Organizations relying on GLPI for IT asset and service management should consider the risk of insider threats or external attackers gaining API access. The impact is particularly relevant for sectors with stringent data protection requirements such as government, healthcare, and finance.
Mitigation Recommendations
The primary mitigation is to upgrade GLPI installations to version 10.0.21 or later, where the authorization flaw is fixed. Until upgrade is possible, organizations should restrict API access strictly to trusted and authenticated users, employing network segmentation and firewall rules to limit exposure. Implement strong authentication and authorization controls around the GLPI API, including the use of API keys or tokens with minimal privileges. Monitor API access logs for unusual or unauthorized activity. Conduct regular audits of GLPI user permissions and API usage. Additionally, consider disabling the knowledge base API endpoints if not required. Incorporate this vulnerability into vulnerability management and patching workflows to ensure timely remediation.
Affected Countries
France, Germany, United Kingdom, Italy, Spain, Netherlands, Belgium
CVE-2025-64520: CWE-862: Missing Authorization in glpi-project glpi
Description
GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.21, an unauthorized user with an API access can read all knowledge base entries. Users should upgrade to 10.0.21 to receive a patch.
AI-Powered Analysis
Technical Analysis
CVE-2025-64520 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the GLPI IT asset and service management software. Specifically, versions starting from 9.1.0 up to 10.0.20 inclusive lack proper authorization checks on API endpoints that serve knowledge base entries. An attacker with API access but without proper privileges can exploit this flaw to read all knowledge base content, which may include sensitive operational procedures, troubleshooting guides, or internal documentation. The vulnerability does not allow modification or deletion of data, nor does it impact system availability. The CVSS v3.1 base score is 6.5, reflecting a medium severity due to high confidentiality impact but no integrity or availability impact, and requiring low privileges but no user interaction. The vulnerability was publicly disclosed on December 16, 2025, with no known exploits in the wild at the time of publication. The recommended remediation is to upgrade to GLPI version 10.0.21, where the authorization checks have been properly implemented to restrict knowledge base access to authorized users only.
Potential Impact
For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive internal knowledge base information, which could aid attackers in reconnaissance or social engineering attacks. The confidentiality breach could expose operational procedures, security policies, or incident response guidelines, potentially weakening organizational security posture. While the vulnerability does not allow data modification or service disruption, the leakage of sensitive information can have downstream effects, including compliance violations under GDPR if personal data or security controls are indirectly exposed. Organizations relying on GLPI for IT asset and service management should consider the risk of insider threats or external attackers gaining API access. The impact is particularly relevant for sectors with stringent data protection requirements such as government, healthcare, and finance.
Mitigation Recommendations
The primary mitigation is to upgrade GLPI installations to version 10.0.21 or later, where the authorization flaw is fixed. Until upgrade is possible, organizations should restrict API access strictly to trusted and authenticated users, employing network segmentation and firewall rules to limit exposure. Implement strong authentication and authorization controls around the GLPI API, including the use of API keys or tokens with minimal privileges. Monitor API access logs for unusual or unauthorized activity. Conduct regular audits of GLPI user permissions and API usage. Additionally, consider disabling the knowledge base API endpoints if not required. Incorporate this vulnerability into vulnerability management and patching workflows to ensure timely remediation.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-11-05T21:15:39.400Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6941d6c9b8ff87d8f9416195
Added to database: 12/16/2025, 10:01:45 PM
Last enriched: 12/23/2025, 10:19:09 PM
Last updated: 2/7/2026, 5:13:42 AM
Views: 157
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.