CVE-2025-23046 – This vulnerability allows authentication bypass... (How to Fix)

Q: What is the severity of CVE-2025-23046?

CVE-2025-23046 has a CVSS score of 7.5 (HIGH). This vulnerability allows authentication bypass in GLPI when using OauthIMAP plugin with Mail servers authentication. Anyone can connect using any username that already has Oauth authorization established. Affects GLPI installations with OauthIMAP plugin configured for Mail servers authentication.

📋 TL;DR

This vulnerability allows authentication bypass in GLPI when using OauthIMAP plugin with Mail servers authentication. Anyone can connect using any username that already has Oauth authorization established. Affects GLPI installations with OauthIMAP plugin configured for Mail servers authentication.

💻 Affected Systems

Products:

GLPI

Versions: 9.5.0 to 10.0.17

Operating Systems: All platforms running GLPI

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when OauthIMAP plugin is configured for Mail servers authentication provider

📦 What is this software?

Glpi by Glpi Project

View all CVEs affecting Glpi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users gain access to GLPI with privileges of any user who has previously authorized Oauth, potentially leading to data theft, privilege escalation, or system compromise.

🟠

Likely Case

Attackers access GLPI with user accounts they shouldn't have access to, potentially viewing sensitive IT asset data or performing unauthorized actions.

🟢

If Mitigated

With proper access controls and monitoring, impact limited to unauthorized access detection and containment.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires knowledge of existing Oauth authorizations and targeted user accounts

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.0.18

Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-vfxc-qg3v-j2r5

Restart Required: No

Instructions:

1. Backup GLPI installation and database. 2. Download GLPI 10.0.18 from official repository. 3. Replace existing files with new version. 4. Run database update if prompted.

🔧 Temporary Workarounds

Disable OauthIMAP Mail servers authentication

all

Disable any Mail servers authentication provider configured to use Oauth connection from OauthIMAP plugin

Navigate to GLPI Setup > Authentication > Mail servers and disable affected providers

🧯 If You Can't Patch

Disable OauthIMAP plugin entirely
Implement network segmentation to restrict GLPI access

🔍 How to Verify

Check if Vulnerable:

Check GLPI version and verify if OauthIMAP plugin is configured for Mail servers authentication

Check Version:

Check GLPI About page or database glpi_config table for version

Verify Fix Applied:

Confirm GLPI version is 10.0.18 or later, verify OauthIMAP authentication works correctly

📡 Detection & Monitoring

Log Indicators:

Unusual authentication patterns from unexpected IPs
Multiple failed login attempts followed by successful Oauth logins

Network Indicators:

Authentication requests to Oauth endpoints without corresponding user actions

SIEM Query:

source="glpi" (event_type="authentication" AND auth_method="oauth" AND result="success") | stats count by user, src_ip

📊 Metadata

CVE ID: CVE-2025-23046

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-303

EPSS Score: 0.08% exploit probability (23.1th percentile)

Published: February 25, 2025

Last Updated: February 28, 2025

🔗 References

https://github.com/glpi-project/glpi/releases/tag/10.0.18 Release Notes
https://github.com/glpi-project/glpi/security/advisories/GHSA-vfxc-qg3v-j2r5 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-23046, you might also want to check these: