Login Sign Up

CVE-2026-23624

4.3 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability in GLPI allows session hijacking when remote authentication via SSO is used. An attacker on the same machine can steal another user's active GLPI session. This affects GLPI installations using SSO-based remote authentication.

💻 Affected Systems

Products:
  • GLPI
Versions: 0.71 to 10.0.22, and 11.0.0 to 11.0.4
Operating Systems: All platforms running GLPI
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when remote authentication using SSO variables is configured. Standard local authentication is not affected.

📦 What is this software?

Glpi by Glpi Project

View all CVEs affecting Glpi →

Glpi by Glpi Project

View all CVEs affecting Glpi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains unauthorized access to another user's GLPI session, potentially accessing sensitive IT asset data, performing unauthorized actions, or escalating privileges within the GLPI system.

🟠

Likely Case

Session theft leading to unauthorized access to GLPI data and functionality under the victim's permissions, potentially including asset management data and IT service information.

🟢

If Mitigated

Limited impact if proper session management controls, network segmentation, and access controls are in place to prevent unauthorized machine access.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to the same machine as the victim and SSO-based authentication to be enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.0.23 or 11.0.5

Vendor Advisory: https://github.com/glpi-project/glpi/security/advisories/GHSA-5j4j-vx46-r477

Restart Required: No

Instructions:

1. Backup your GLPI installation and database. 2. Download GLPI 10.0.23 or 11.0.5 from the official releases. 3. Replace existing files with the patched version. 4. Run the update script if upgrading between major versions.

🔧 Temporary Workarounds

Disable SSO Remote Authentication

all

Temporarily disable SSO-based remote authentication until patching is complete

Edit GLPI configuration to disable remote authentication via SSO

🧯 If You Can't Patch

  • Implement strict access controls to prevent unauthorized users from accessing machines with active GLPI sessions
  • Enable session timeout policies and force regular re-authentication for GLPI users

🔍 How to Verify

Check if Vulnerable:

Check if GLPI version is between 0.71-10.0.22 or 11.0.0-11.0.4 and SSO remote authentication is enabled

Check Version:

Check GLPI version in the web interface footer or via 'php glpi/version.php'

Verify Fix Applied:

Verify GLPI version is 10.0.23 or higher, or 11.0.5 or higher

📡 Detection & Monitoring

Log Indicators:

  • Multiple sessions from same IP with different user accounts
  • Unusual session activity patterns

Network Indicators:

  • Multiple authentication requests from same source in short timeframe

SIEM Query:

source="glpi" AND (event="session_start" OR event="authentication") | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2026-23624
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-384
EPSS Score: 0.08% exploit probability (23.7th percentile)
Published: February 4, 2026
Last Updated: February 6, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23624, you might also want to check these:

CVE-2024-11317 10.0

CVE-2024-11317 is a session fixation vulnerability in ABB ASPECT, NEXUS, and MATRIX series products ...

Same vulnerability type (CWE-384)
CVE-2024-38513 10.0

This vulnerability in GoFiber's session middleware allows attackers to supply their own session_id, ...

Same vulnerability type (CWE-384)
CVE-2021-20151 10.0

This vulnerability allows session hijacking on Trendnet AC2600 routers by exploiting IP-based sessio...

Same vulnerability type (CWE-384)