What is the severity of CVE-2025-23046?

CVE-2025-23046 has a high severity due to its potential for unauthorized access to GLPI installations.

How do I fix CVE-2025-23046?

To fix CVE-2025-23046, upgrade GLPI to a version newer than 10.0.18.

What software versions are affected by CVE-2025-23046?

CVE-2025-23046 affects GLPI versions from 9.5.0 up to but not including 10.0.18.

What type of vulnerability is CVE-2025-23046?

CVE-2025-23046 is an authentication vulnerability related to OAuth connection in GLPI.

Can CVE-2025-23046 be exploited remotely?

Yes, CVE-2025-23046 can be exploited remotely by anyone with a valid username.

Vulnerability/
CVE-2025-23046

high

7.5

CWE

303

25/2/2025

28/2/2025

CVE-2025-23046: GLPI vulnerable to unauthorized authentication by email using the OAuthIMAP plugin

First published: Tue Feb 25 2025(Updated: )

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.18, if a "Mail servers" authentication provider is configured to use an Oauth connection provided by the OauthIMAP plugin, anyone can connect to GLPI using a user name on which an Oauth authorization has already been established. Version 10.0.18 contains a patch. As a workaround, one may disable any "Mail servers" authentication provider configured to use an Oauth connection provided by the OauthIMAP plugin.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
GLPI	>=9.5.0<10.0.18
GLPI	>=9.5.0<10.0.18

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2025-23046?
CVE-2025-23046 has a high severity due to its potential for unauthorized access to GLPI installations.
How do I fix CVE-2025-23046?
To fix CVE-2025-23046, upgrade GLPI to a version newer than 10.0.18.
What software versions are affected by CVE-2025-23046?
CVE-2025-23046 affects GLPI versions from 9.5.0 up to but not including 10.0.18.
What type of vulnerability is CVE-2025-23046?
CVE-2025-23046 is an authentication vulnerability related to OAuth connection in GLPI.
Can CVE-2025-23046 be exploited remotely?
Yes, CVE-2025-23046 can be exploited remotely by anyone with a valid username.

collector/mitre-cve
source/MITRE
agent/weakness
agent/references
agent/description
agent/title
agent/type
agent/source
agent/author
agent/first-publish-date
agent/last-modified-date
agent/severity
agent/event
agent/guess-ai
agent/software-canonical-lookup
agent/softwarecombine
agent/tags
collector/nvd-api
source/NVD
vendor/glpi
canonical/glpi
vendor/glpi-project
version/glpi/9.5.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.