This is a security release, upgrading is recommended
You will find below the list of security issues fixed in this bugfixes version:
- [SECURITY - Medium] Unauthorized debug mode activation (CVE-2026-45801)
- [SECURITY - Medium] LDAP filter injection in user import feature (CVE-2026-49469)
- [SECURITY - Medium] Unallowed authentication method update by administrator (CVE-2026-53628)
- [SECURITY - Medium] Unexpected access to update operations through the API (CVE-2026-53627)
- [SECURITY - Medium] Unallowed modification of knowbase items comments and translations (CVE-2026-55217)
- [SECURITY - Medium] Unallowed notifications sending (CVE-2026-57152)
- [SECURITY - High] SQL injection in dropdowns (CVE-2026-47678)
- [SECURITY - High] Arbitrary file deletion (CVE-2026-47679)
- [SECURITY - High] Account takeover via 2FA brute force (CVE-2026-49470)
- [SECURITY - High] Privilege Escalation via authtype API manipulation (CVE-2026-53625)
- [SECURITY - High] Reflected XSS in dashboards (CVE-2026-53610)
- [SECURITY - High] Arbitrary document read (CVE-2026-53626)
- [SECURITY - High] SQL injection in history tab (CVE-2026-53629)
- [SECURITY - High] Stored XSS in suppliers (CVE-2026-55214)
- [SECURITY - CRITICAL] RCE via Form import (CVE-2026-48482)
- [SECURITY - CRITICAL] MFA bypass (CVE-2026-52848)
The full changelog is available for more details.
We would like to thank all people who contributed to this new version and all those who contributes regularly to the GLPI project!
Regards.