CVE-2026-22247
Published: 04 February 2026
Summary
CVE-2026-22247 is a medium-severity SSRF (CWE-918) vulnerability in Glpi-Project Glpi. Its CVSS base score is 4.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-22247 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, in the Webhook feature of GLPI, a free asset and IT management software package. It affects GLPI versions from 11.0.0 up to but not including 11.0.5, as published on 2026-02-04.
A GLPI administrator can exploit this vulnerability to perform SSRF requests. The CVSS v3.1 base score is 4.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N), indicating that exploitation is possible over the network with low complexity, requires high privileges, involves no user interaction, has changed scope, and results in low impact to confidentiality with no impact to integrity or availability.
The vulnerability has been addressed in GLPI version 11.0.5. Additional details are available in the release notes at https://github.com/glpi-project/glpi/releases/tag/11.0.5 and the security advisory at https://github.com/glpi-project/glpi/security/advisories/GHSA-f6f6-v3qr-9p5x.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5385
Vulnerability details
GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in a web application (GLPI webhook) directly enables exploitation of a public-facing or network-accessible service by an authenticated administrator, aligning with T1190 for initial or post-auth abuse to reach internal resources.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces information flow rules that block the webhook feature from initiating arbitrary outbound requests to internal or external resources.
Requires validation of all URL inputs supplied to the webhook configuration so that only permitted destinations can be reached by the server.
Restricts outbound network connections from the GLPI application server, limiting the destinations an SSRF payload can reach even if the webhook accepts it.