Session Fixation Vulnerability in GLPI IT Management Software by GLPI Project
CVE-2026-23624

4.3MEDIUM

Key Information:

Vendor

GLPI Project
Status
Glpi
Vendor
CVE Published:
4 February 2026

What is CVE-2026-23624?

A vulnerability exists within the GLPI IT management software that allows an attacker to exploit remote authentication scenarios based on SSO variables. This manipulation could enable malicious users to hijack an active session of another user who is utilizing the same machine. As a result, unauthorized actions may be performed under the identity of the legitimate user without their consent. It is crucial to upgrade to the patched versions of GLPI to mitigate this risk and secure user sessions.

Affected Version(s)

glpi >= 0.71, < 10.0.23 < 0.71, 10.0.23

glpi >= 11.0.0-alpha, < 11.0.5 < 11.0.0-alpha, 11.0.5

References

https://github.com/glpi-project/glpi/security/advisories/...
x_refsource_CONFIRM
https://github.com/glpi-project/glpi/releases/tag/10.0.23
x_refsource_MISC
https://github.com/glpi-project/glpi/releases/tag/11.0.5
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.