A vulnerability classified as critical was found in glpi-project glpi 11.0.5/11.0.6/11.0.7 . This affects the function Document::canViewFile of the file front/document.send.php of the component Document Handler . Such manipulation of the argument docid leads to authorization bypass. This vulnerability is documented as CVE-2026-13490 . The attack can be executed remotely. There is not any exploit available. The vendor was contacted early about this disclosure.