GLPI (Gestionnaire Libre de Parc Informatique) is an open-source IT asset and service management software widely used in organizations for managing hardware, software, and IT service workflows. CVE-2026-23624 identifies a session fixation vulnerability (CWE-384) in GLPI versions starting from 0.71 up to before 10.0.23, and from 11.0.0-alpha up to before 11.0.5. The vulnerability manifests when GLPI is configured to use remote authentication based on Single Sign-On (SSO) variables. In this scenario, an attacker with access to the same machine can fixate a session identifier and hijack an active session opened by another user. This means the attacker can impersonate the victim user without needing to know their credentials. The vulnerability arises because the application does not properly regenerate or invalidate session identifiers upon authentication, allowing reuse of a session ID. The attack vector is local or network-based with some privileges (CVSS vector: AV:P/PR:L), but no user interaction is required. The impact is primarily on confidentiality, as unauthorized access to session data can expose sensitive IT asset and management information. Integrity and availability are not directly affected. The vulnerability has been addressed in GLPI releases 10.0.23 and 11.0.5 by implementing proper session management controls, including session ID regeneration upon login and better validation of SSO variables. No public exploits have been reported, but the risk remains for organizations using outdated versions with remote authentication enabled.

For European organizations, the impact of this vulnerability can be significant, especially for entities relying on GLPI for IT asset management, service desk operations, and internal workflow management. Unauthorized session hijacking can lead to exposure of sensitive asset inventories, user information, and potentially internal IT processes. This could facilitate further attacks, insider threat activities, or data leaks. Confidentiality breaches could affect compliance with GDPR and other data protection regulations, leading to legal and reputational consequences. Since the attack requires local or network-level access with some privileges, insider threats or compromised internal machines pose the greatest risk. Organizations with multi-user shared workstations or insufficient session isolation are particularly vulnerable. The medium CVSS score reflects that while the attack is not trivially exploitable remotely without privileges, the confidentiality impact is high. Disruption to IT management processes could indirectly affect operational efficiency and incident response capabilities.

1. Upgrade GLPI installations to version 10.0.23 or 11.0.5 or later, where the vulnerability is patched. 2. If immediate upgrade is not possible, disable remote authentication via SSO variables or restrict it to trusted environments only. 3. Implement strict session management policies, including session ID regeneration upon authentication and session timeout enforcement. 4. Limit access to GLPI systems to trusted users and machines, enforcing network segmentation and access controls to reduce the risk of local or privileged attackers. 5. Monitor GLPI logs for unusual session activity or concurrent sessions from the same machine. 6. Educate users about the risks of shared workstations and encourage logging out after use. 7. Regularly audit GLPI configurations and authentication mechanisms to ensure compliance with security best practices. 8. Employ endpoint security solutions to detect and prevent unauthorized local access or privilege escalation on machines accessing GLPI.