On June 24, 2026, the GLPI team released versions 11.0.8 and 10.0.26. This is the most critical security update since GLPI 11 launched — it addresses 16 vulnerabilities in total, including two critical ones: a remote code execution (RCE) through form import and a multi-factor authentication (MFA) bypass.
Two critical vulnerabilities
Both critical flaws affect only the 11.0 branch:
- CVE-2026-48482 — remote code execution via native form import. Native forms are a new feature in GLPI 11, replacing the FormCreator plugin. An attacker with access to the form import function can execute arbitrary code on the server through a crafted import file.
- CVE-2026-52848 — multi-factor authentication bypass. MFA was one of the headline security improvements in GLPI 11, yet this flaw allows an attacker to completely skip the second authentication factor.
The combination is particularly dangerous — an attacker who bypasses MFA can then leverage the form import RCE to take full control of the server.
Eight high-severity vulnerabilities
Beyond the critical pair, the update fixes eight high-severity issues:
- CVE-2026-49470 — account takeover via brute-force attacks against 2FA codes (11.0 only)
- CVE-2026-47678 — SQL injection in dropdown lists (10.0 and 11.0)
- CVE-2026-47679 — arbitrary file deletion on the server (10.0 and 11.0)
- CVE-2026-53625 — privilege escalation via API authtype manipulation (10.0 and 11.0)
- CVE-2026-53610 — reflected XSS in dashboards (11.0 only)
- CVE-2026-53626 — arbitrary document read (11.0 only)
- CVE-2026-53629 — SQL injection in the history tab (10.0 and 11.0)
- CVE-2026-55214 — stored XSS in supplier data (11.0 only)
Six medium-severity fixes
The remaining six medium-severity vulnerabilities cover unauthorized debug mode activation (CVE-2026-45801), LDAP filter injection during user import (CVE-2026-49469), unauthorized API access to update operations (CVE-2026-53627, CVE-2026-53628), unauthorized knowledge base modifications (CVE-2026-55217), and unauthorized notification sending (CVE-2026-57152).
Who is affected
GLPI 11.0.0 through 11.0.7 users are vulnerable to all 16 issues, including both critical ones. Users on the 10.0 branch (before 10.0.26) are affected by nine shared vulnerabilities — the critical RCE and MFA bypass do not apply to them, since native forms and MFA are exclusive to version 11.
How to update
The procedure mirrors the previous 11.0.7 update: back up your database and files, verify plugin compatibility, enable maintenance mode, replace the application files, and run php bin/console db:update. Coming from 11.0.7, the migration is quick.
Download archives are available on GitHub in the glpi-project/glpi repository under the 11.0.8 and 10.0.26 tags. An official Docker image is also available for GLPI 11.
Why this one cannot wait
This is the fourth security release in four months (11.0.5 through 11.0.8), but 11.0.8 is different — it contains the first critical RCE in the GLPI 11 series. Remote code execution represents the highest risk tier, and published CVE details lower the barrier for potential attackers. Every hour without the update is an hour your server is exposed to full compromise.