This is a security release, upgrading is recommended
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - Low] Unauthorized update of configuration
- [SECURITY - Low] Unauthorized IMAP connection probing
- [SECURITY - Low] Unauthorized reading of a specific asset object
- [SECURITY - Low] Unauthorized modification of webhook payload templates
- [SECURITY - Low] Unauthorized Webhook CRA Validation SSRF
- [SECURITY - Low] Webhook CRA signature bypass
- [SECURITY - Low] Unauthorized resending of queued webhooks
- [SECURITY - Medium] Unauthorized export of form structure (CVE-2026-32312)
- [SECURITY - Medium] Arbitrary files access (CVE-2026-42320)
- [SECURITY - High] Stored XSS in knowledge base (CVE-2026-5385)
- [SECURITY - High] Stored XSS in ITIL Costs (CVE-2026-40108)
- [SECURITY - High] Arbitrary item deletion via planning (CVE-2026-42318)
- [SECURITY - High] Arbitrary files deletion by technician (CVE-2026-42317)
The full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.