{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23624", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-14T16:08:37.482Z", "datePublished": "2026-02-04T17:15:33.750Z", "dateUpdated": "2026-02-04T19:56:27.764Z"}, "containers": {"cna": {"title": "GLPI is vulnerable to session stealing on externally authenticated user change", "problemTypes": [{"descriptions": [{"cweId": "CWE-384", "lang": "en", "description": "CWE-384: Session Fixation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-5j4j-vx46-r477", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-5j4j-vx46-r477"}, {"name": "https://github.com/glpi-project/glpi/releases/tag/10.0.23", "tags": ["x_refsource_MISC"], "url": "https://github.com/glpi-project/glpi/releases/tag/10.0.23"}, {"name": "https://github.com/glpi-project/glpi/releases/tag/11.0.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/glpi-project/glpi/releases/tag/11.0.5"}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"version": ">= 0.71, < 10.0.23", "status": "affected"}, {"version": ">= 11.0.0-alpha, < 11.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T17:15:33.750Z"}, "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This issue has been patched in versions ."}], "source": {"advisory": "GHSA-5j4j-vx46-r477", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T19:56:08.999117Z", "id": "CVE-2026-23624", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T19:56:27.764Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23624", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T19:56:08.999117Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T19:56:18.966Z"}}], "cna": {"title": "GLPI is vulnerable to session stealing on externally authenticated user change", "source": {"advisory": "GHSA-5j4j-vx46-r477", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "glpi-project", "product": "glpi", "versions": [{"status": "affected", "version": ">= 0.71, < 10.0.23"}, {"status": "affected", "version": ">= 11.0.0-alpha, < 11.0.5"}]}], "references": [{"url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-5j4j-vx46-r477", "name": "https://github.com/glpi-project/glpi/security/advisories/GHSA-5j4j-vx46-r477", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/glpi-project/glpi/releases/tag/10.0.23", "name": "https://github.com/glpi-project/glpi/releases/tag/10.0.23", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/glpi-project/glpi/releases/tag/11.0.5", "name": "https://github.com/glpi-project/glpi/releases/tag/11.0.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This issue has been patched in versions ."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-384", "description": "CWE-384: Session Fixation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T17:15:33.750Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23624", "state": "PUBLISHED", "dateUpdated": "2026-02-04T19:56:27.764Z", "dateReserved": "2026-01-14T16:08:37.482Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-04T17:15:33.750Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "matchCriteriaId": "D09C27B0-C82A-4F14-845D-FF7991EDBBE4", "versionEndExcluding": "10.0.23", "versionStartIncluding": "0.71", "vulnerable": true}, {"criteria": "cpe:2.3:a:glpi-project:glpi:*:*:*:*:*:*:*:*", "matchCriteriaId": "C13BB849-4C19-473A-B105-57915EE59C49", "versionEndExcluding": "11.0.5", "versionStartIncluding": "11.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This issue has been patched in versions ."}], "id": "CVE-2026-23624", "lastModified": "2026-02-06T21:18:17.370", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-04T18:16:08.913", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/glpi-project/glpi/releases/tag/10.0.23"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/glpi-project/glpi/releases/tag/11.0.5"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/glpi-project/glpi/security/advisories/GHSA-5j4j-vx46-r477"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T23:23:48.808743+00:00", "value": {"mitigation_remediation": ["Upgrade GLPI to version 10.0.23 or later, or 11.0.5 or later, to apply the session\u2011fixation fix.", "If an immediate upgrade is not feasible, disable or restrict SSO authentication for users who share machines or enforce that SSO credentials are not transmitted via shared environment variables.", "After SSO changes, force a logout or regenerate session identifiers to prevent reuse.", "Monitor GLPI logs for abnormal session reuse or unauthorized access attempts and respond promptly when suspicious activity is detected."], "summary": {"action": "Update ASAP", "impact": "Unauthorized Session Hijacking"}, "threat_synthesis": {"affected_systems": "Vulnerable GLPI installations cover all releases from version 0.71 up to, but not including, 10.0.23, and from any 11.x release before 11.0.5. The issue was addressed in GLPI 10.0.23 and 11.0.5 and later, as indicated by the release notes and official advisories. Systems running older versions, especially those that rely on external SSO authentication, remain at risk until the patch is applied.", "description_and_impact": "GLPI, a widely used asset and IT management platform, has a flaw that permits a user employing remote authentication through SSO variables to seize an existing session belonging to another user on the same machine. This session theft enables the attacker to access GLPI resources with the privileges of the hijacked user, leading to unauthorized data disclosure and potential manipulation of system settings. The weakness stems from improper handling of session identifiers during SSO authentication and is classified as session fixation (CWE-384).", "risk_and_exploitability": "The CVSS score of 4.3 rates this vulnerability as moderate, and the EPSS score is below 1%, suggesting a presently low likelihood of exploitation. Because the flaw requires SSO authentication and access to the same machine, it is likely to be exploited by users with local or shared workstation access rather than by purely remote attackers. The vulnerability is not included in the CISA KEV catalog, indicating no known large\u2011scale active exploitation at this time, but patching should remain a priority to mitigate potential risk."}}}}, "created": "2026-02-04T21:17:44.248023+00:00", "updated": "2026-04-17T23:30:15.914113+00:00", "vendors": ["glpi-project", "glpi-project$PRODUCT$glpi"]}