CVE-2026-23624

Summary

GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This issue has been patched in versions .

Affected Software

VendorProductVersion RangeStatus
glpi-projectglpi>= 0.71, < 10.0.23affected
glpi-projectglpi>= 11.0.0-alpha, < 11.0.5affected

Weaknesses

  • CWE-384: CWE-384: Session Fixation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References