CVE-2026-23489 is a critical security vulnerability identified in the 'fields' plugin of GLPI, an open-source IT asset management and service desk software widely used by organizations globally. The 'fields' plugin enables users to add custom fields to GLPI item forms, enhancing customization capabilities. However, prior to version 1.23.3, the plugin suffers from improper input validation (CWE-20), specifically allowing users with the ability to create dropdown menus to inject and execute arbitrary PHP code on the server. This vulnerability arises because the plugin does not sufficiently sanitize or validate user-supplied input before processing it as executable code, leading to remote code execution (RCE). The CVSS 3.1 base score of 9.1 indicates a critical severity, with attack vector being network-based (AV:N), low attack complexity (AC:L), requiring privileges (PR:H) but no user interaction (UI:N), and scope change (S:C) affecting confidentiality, integrity, and availability (C:H/I:H/A:H). Exploiting this flaw allows an attacker with dropdown creation privileges to execute arbitrary PHP commands, potentially leading to full system compromise, data theft, manipulation, or denial of service. The vulnerability was publicly disclosed on March 16, 2026, and patched in version 1.23.3 of the plugin. No known exploits have been reported in the wild to date, but the critical nature and ease of exploitation for privileged users make it a significant threat. Organizations using affected versions should prioritize patching to prevent exploitation.

The impact of CVE-2026-23489 is severe for organizations using GLPI with the vulnerable 'fields' plugin. Successful exploitation grants attackers the ability to execute arbitrary PHP code on the server, effectively allowing full control over the affected system. This can lead to unauthorized data access, data modification, deletion, or disruption of IT asset management operations. Given GLPI's role in managing critical IT infrastructure and assets, such a compromise could cascade into broader organizational security failures, including exposure of sensitive information, disruption of IT service management workflows, and potential lateral movement within the network. The requirement for authenticated users with dropdown creation privileges limits the attack surface but does not eliminate risk, especially in environments with many users or insufficient privilege management. The vulnerability's critical severity underscores the potential for significant operational and reputational damage if exploited.

To mitigate CVE-2026-23489, organizations should immediately upgrade the 'fields' plugin to version 1.23.3 or later, where the vulnerability has been patched. In addition to patching, organizations should audit user permissions to ensure that only trusted and necessary users have the ability to create dropdowns or manage plugin configurations. Implement strict role-based access controls (RBAC) and regularly review user privileges to minimize the risk of insider threats or compromised accounts. Employ web application firewalls (WAFs) with rules designed to detect and block suspicious PHP code injection attempts. Monitor logs for unusual activity related to plugin usage or PHP execution. Where possible, isolate GLPI servers within segmented network zones to limit potential lateral movement. Finally, maintain regular backups of GLPI data and configurations to enable rapid recovery in case of compromise.