GLPI, an open-source asset and IT management software, suffers from an improper authentication vulnerability identified as CVE-2026-25937 (CWE-287) affecting versions 11.0.0 up to but not including 11.0.6. The flaw allows a malicious actor who already possesses valid user credentials to bypass the multi-factor authentication mechanism, effectively negating the additional security layer intended to protect user accounts. This bypass means that even if MFA is enabled, attackers can authenticate solely with stolen or leaked credentials. The vulnerability is remotely exploitable without user interaction and requires the attacker to have some level of privileges (high privileges as per CVSS vector). The CVSS v3.1 base score is 6.5, reflecting a medium severity due to the high impact on confidentiality and integrity but no impact on availability. The vulnerability was publicly disclosed in March 2026, and the vendor addressed the issue in GLPI version 11.0.6. No public exploit code or active exploitation has been reported to date, but the risk remains significant given the critical nature of the data managed by GLPI installations. The improper authentication arises from flawed MFA implementation logic that fails to enforce the second factor when credentials are valid, allowing attackers to bypass this security control.

The primary impact of this vulnerability is unauthorized access to GLPI user accounts despite MFA protections, which can lead to significant confidentiality and integrity breaches. Attackers gaining access can view, modify, or delete sensitive asset and IT management information, potentially disrupting organizational operations and exposing critical infrastructure details. Since GLPI is often used in IT service management and asset tracking, compromised accounts could facilitate further lateral movement within networks, data exfiltration, or sabotage. The lack of availability impact means systems remain operational, but the trustworthiness and security of the data are compromised. Organizations relying on GLPI for IT asset management globally face increased risk of insider threats or external attackers leveraging stolen credentials to bypass MFA and escalate privileges.

Organizations should immediately upgrade all GLPI installations to version 11.0.6 or later, where the vulnerability is patched. Until patching is possible, administrators should consider disabling MFA temporarily if it is not properly enforced or supplementing GLPI authentication with additional network-level controls such as IP whitelisting or VPN access restrictions. Monitoring authentication logs for unusual login patterns or repeated failed MFA attempts can help detect exploitation attempts. Implement strict credential management policies, including regular password changes and use of strong, unique passwords to reduce the risk of credential theft. Additionally, organizations should conduct security awareness training to prevent phishing attacks that could lead to credential compromise. Finally, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious authentication bypass attempts targeting GLPI.