CVE-2026-23624 Overview
GLPI, a widely-used free asset and IT management software package, contains a session fixation vulnerability that allows authenticated users to hijack sessions of other users on shared systems. When remote authentication is used based on SSO (Single Sign-On) variables, an attacker can steal a GLPI session previously opened by another user on the same machine. This vulnerability affects versions starting from 0.71 up to versions prior to 10.0.23 and 11.0.5.
Critical Impact
Authenticated users on shared systems can hijack other users' GLPI sessions when SSO authentication is enabled, potentially gaining access to sensitive IT asset management data and administrative functions.
Affected Products
- GLPI versions 0.71 through 10.0.22
- GLPI versions 11.0.0 through 11.0.4
- Systems using SSO-based remote authentication
Discovery Timeline
- 2026-02-04 - CVE CVE-2026-23624 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-23624
Vulnerability Analysis
This vulnerability is classified as CWE-384 (Session Fixation), which occurs when a web application does not properly invalidate or regenerate session identifiers during the authentication process. In GLPI's case, the flaw manifests specifically when SSO-based remote authentication is configured.
The session fixation issue allows an attacker who has authenticated to GLPI on a shared machine to gain unauthorized access to sessions that were previously established by other users on that same system. This is particularly concerning in environments where multiple users access GLPI from shared workstations or terminal servers.
The physical access requirement means the attacker must have direct access to the same machine where a victim has an active or cached session. Combined with the requirement for low privileges, this indicates the attacker needs at least basic authentication to GLPI before exploiting the session hijacking mechanism.
Root Cause
The root cause lies in improper session management within GLPI's SSO authentication flow. When users authenticate via SSO variables, the application fails to properly isolate or regenerate session tokens, allowing session data from one user to be accessible by subsequent users on the same physical machine. This violates the security principle that each authentication event should generate a completely new, unique session identifier.
Attack Vector
The attack requires physical access to a shared machine where GLPI is accessed. An attacker with basic GLPI privileges can exploit the SSO authentication mechanism to access session data belonging to other users who previously authenticated on the same system.
The exploitation scenario typically involves:
- A legitimate user authenticates to GLPI via SSO on a shared workstation
- The user finishes their work but the session or session artifacts persist
- An attacker with physical access to the same machine authenticates
- The attacker can access or hijack the previous user's session data
- This grants the attacker the permissions and access of the victim user
For detailed technical information, refer to the GitHub Security Advisory GHSA-5j4j-vx46-r477.
Detection Methods for CVE-2026-23624
Indicators of Compromise
- Multiple user activities occurring within the same session identifier across different authentication events
- Unusual session reuse patterns in GLPI access logs
- Users reporting unauthorized actions taken under their accounts on shared workstations
Detection Strategies
- Monitor GLPI authentication logs for session ID anomalies, particularly where the same session is associated with multiple user accounts
- Implement alerting for rapid user switching on the same session from shared workstation IP addresses
- Review SSO authentication flow logs for improper session handling events
Monitoring Recommendations
- Enable comprehensive session logging in GLPI to track session creation, usage, and termination
- Deploy endpoint monitoring on shared workstations to detect potential session hijacking attempts
- Implement user behavior analytics to identify anomalous session patterns indicative of session fixation exploitation
How to Mitigate CVE-2026-23624
Immediate Actions Required
- Upgrade GLPI to version 10.0.23 or 11.0.5 immediately to patch this vulnerability
- Review and audit all systems using SSO-based authentication for signs of exploitation
- Implement strict logout policies on shared workstations to ensure complete session termination
Patch Information
The GLPI development team has released patched versions that address this session fixation vulnerability. Organizations should upgrade to one of the following versions:
- GLPI 10.0.23 for the 10.x branch
- GLPI 11.0.5 for the 11.x branch
For complete patch details, refer to the GitHub Security Advisory GHSA-5j4j-vx46-r477.
Workarounds
- Disable SSO-based authentication and use local GLPI authentication until patching is complete
- Implement strict workstation policies that prevent shared usage of systems accessing GLPI
- Configure browsers on shared workstations to clear all session data on close
- Deploy session timeout policies to minimize the window of exposure for active sessions
# Example: Configure Apache to add security headers for session protection
# Add to GLPI virtual host configuration
<VirtualHost *:443>
# Force session cookie security attributes
Header always edit Set-Cookie ^(.*)$ "$1; HttpOnly; Secure; SameSite=Strict"
# Implement strict cache control for authenticated pages
Header always set Cache-Control "no-store, no-cache, must-revalidate, private"
Header always set Pragma "no-cache"
</VirtualHost>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
