CVE-2026-22248 is a deserialization of untrusted data vulnerability (CWE-502) found in the GLPI project, an open-source IT asset and service management software widely used for ITIL service desk operations, license tracking, and software auditing. The vulnerability exists in GLPI versions from 11.0.0 up to but not including 11.0.5. It allows an authenticated technician-level user to upload a crafted malicious file that exploits unsafe PHP object instantiation during deserialization. This unsafe deserialization can lead to arbitrary code execution on the server, compromising the system’s confidentiality, integrity, and availability. The vulnerability requires the attacker to have authenticated access with technician privileges, which are typically granted to internal IT staff or trusted users. No user interaction beyond authentication is needed. The vulnerability has a CVSS v3.1 base score of 8.1, indicating high severity, with network attack vector, high privileges required, no user interaction, and complete impact on confidentiality, integrity, and availability. The flaw was publicly disclosed on March 11, 2026, and fixed in GLPI version 11.0.5. No public exploit code or active exploitation in the wild has been reported yet, but the potential impact is significant given the nature of the vulnerability and the critical role GLPI plays in IT management environments.

The vulnerability allows an authenticated technician user to execute arbitrary code on the GLPI server, potentially leading to full system compromise. This can result in unauthorized access to sensitive IT asset data, disruption of IT service management operations, and manipulation or destruction of critical configuration and license tracking information. The compromise of GLPI servers could also serve as a pivot point for attackers to move laterally within an organization’s network, escalating privileges and accessing other critical systems. Given GLPI’s role in ITIL service desks, exploitation could severely impact incident response and IT operations continuity. Organizations relying on GLPI for asset management and auditing face risks to data confidentiality, integrity, and availability, potentially causing operational downtime, data breaches, and compliance violations.

Organizations should immediately upgrade GLPI installations to version 11.0.5 or later, where this vulnerability is patched. Until upgrading, restrict technician user privileges to only trusted personnel and monitor for suspicious file uploads or unusual activity within GLPI. Implement network segmentation to limit access to GLPI servers and apply strict access controls and multi-factor authentication for all users with elevated privileges. Conduct regular audits of GLPI logs to detect potential exploitation attempts. Additionally, consider deploying web application firewalls (WAFs) with custom rules to detect and block malicious deserialization payloads. Educate IT staff on the risks of deserialization vulnerabilities and ensure secure coding practices are followed in any custom GLPI plugins or integrations.