Cyber Resilience

CVE-2026-22247

Medium

Published: 04 February 2026

Published
04 February 2026
Modified
06 February 2026
KEV Added
Patch
CVSS Score v3.1 4.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
EPSS Score 0.0032 23.3th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-22247 is a medium-severity SSRF (CWE-918) vulnerability in Glpi-Project Glpi. Its CVSS base score is 4.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-22247 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, in the Webhook feature of GLPI, a free asset and IT management software package. It affects GLPI versions from 11.0.0 up to but not including 11.0.5, as published on 2026-02-04.

A GLPI administrator can exploit this vulnerability to perform SSRF requests. The CVSS v3.1 base score is 4.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N), indicating that exploitation is possible over the network with low complexity, requires high privileges, involves no user interaction, has changed scope, and results in low impact to confidentiality with no impact to integrity or availability.

The vulnerability has been addressed in GLPI version 11.0.5. Additional details are available in the release notes at https://github.com/glpi-project/glpi/releases/tag/11.0.5 and the security advisory at https://github.com/glpi-project/glpi/security/advisories/GHSA-f6f6-v3qr-9p5x.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF in a web application (GLPI webhook) directly enables exploitation of a public-facing or network-accessible service by an authenticated administrator, aligning with T1190 for initial or post-auth abuse to reach internal resources.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-66417Same product: Glpi-Project Glpi
CVE-2025-23046Same product: Glpi-Project Glpi
CVE-2026-26263Same product: Glpi-Project Glpi
CVE-2025-21619Same product: Glpi-Project Glpi
CVE-2026-26027Same product: Glpi-Project Glpi
CVE-2026-26026Same product: Glpi-Project Glpi
CVE-2026-29047Same product: Glpi-Project Glpi
CVE-2025-64516Same product: Glpi-Project Glpi
CVE-2026-22044Same product: Glpi-Project Glpi
CVE-2025-24799Same product: Glpi-Project Glpi

Affected Assets

glpi-project
glpi
11.0.0 — 11.0.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces information flow rules that block the webhook feature from initiating arbitrary outbound requests to internal or external resources.

prevent

Requires validation of all URL inputs supplied to the webhook configuration so that only permitted destinations can be reached by the server.

prevent

Restricts outbound network connections from the GLPI application server, limiting the destinations an SSRF payload can reach even if the webhook accepts it.

References