CVE-2025-23046

GLPI vulnerable to unauthorized authentication by email using the OAuthIMAP plugin

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.18, if a "Mail servers" authentication provider is configured to use an Oauth connection provided by the OauthIMAP plugin, anyone can connect to GLPI using a user name on which an Oauth authorization has already been established. Version 10.0.18 contains a patch. As a workaround, one may disable any "Mail servers" authentication provider configured to use an Oauth connection provided by the OauthIMAP plugin.

We have discovered 17 live websites that are affected by CVE-2025-23046.

Run a Free Instant Scan



Affected Software

Product  GLPI
Category Help desk
Vulnerable Domains17 live websites (57% of GLPI install base)
Vulnerable Versions
  • from 9.5 through 10.0.18
Vulnerable Versions Count4 versions ( 44% of all versions)


Common Weakness Enumeration

CWE-303 Incorrect Implementation of Authentication Algorithm



Details

  • Published - Feb 25, 2025
  • Updated - Feb 25, 2025

Website Distribution by Country

Number of websites using CVE-2025-23046
United States2 websites


Brazil3 websites
New Zealand3 websites
France2 websites
GB2 websites
Italy1 websites
Lithuania1 websites
Poland1 websites
Russia1 websites
Turkey1 websites

Website Distribution by TLD

Number of websites using CVE-2025-23046
.com2 websites
.com.br1 websites
.eu1 websites
.fr1 websites
.info1 websites
.it1 websites
.pl1 websites
.ru1 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Websites affected by CVE-2025-23046

Top websites that are affected by CVE-2025-23046. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
*********.**********.******.***.br United States*,***,***
********.*****.it Italy*,***,***
**.********.pl Poland**,***,***
******.***.***.tr Turkey**,***,***
*********************.**.nz New Zealand**,***,***
********.****.**********.com GB**,***,***
*******.*******.fr France**,***,***
********.**********.com GB**,***,***
******************.******.***.br Brazil**,***,***
*****************.**.nz New Zealand**,***,***
See full domain list

FAQ

CVE-2025-23046 is Incorrect Implementation of Authentication Algorithm in GLPI
A total of 17 websites have been identified as vulnerable to CVE-2025-23046, based on global website indexing conducted by WebTechSurvey.
The GLPI is affected by the CVE-2025-23046 vulnerability.
GLPI versions up to 10.0.18 are vulnerable to CVE-2025-23046.
CVE-2025-23046 is resolved in version 10.0.18 of GLPI.