cbcvebase.
CVE-2023-41326
published 2023-09-27

CVE-2023-41326: GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses…

PriorityP267high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
31.17%
98.0th percentile
GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. A logged user from any profile can hijack the Kanban feature to alter any user field, and end-up with stealing its account. Users are advised to upgrade to version 10.0.10. There are no known workarounds for this vulnerability.

Affected

2 ranges
VendorProductVersion rangeFixed in
glpi-projectglpi
glpi-projectglpi>= 9.5.0 < 10.0.1010.0.10

Detection & IOCsextracted from sources · hover to see the quote

path/ajax/kanban.php
commandaction=update&itemtype=User&column_field=api_token
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GLPI Authenticated Account takeover via Kanban Feature (CVE-2023-41326)"; flow:established,to_server; http.uri; content:"/ajax/kanban.php"; fast_pattern; http.request_body; content:"action|3d|update"; content:"itemtype|3d|User"; content:"column_field|3d|api_token"; http.method; content:"POST"; reference:url,github.com/Orange-Cyberdefense/glpwnme/; reference:cve,2023-41326; classtype:web-application-attack; sid:2067163; rev:1; metadata:affected_product GLPI, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_28, cve CVE_2023_41326, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2026_01_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Look for authenticated POST requests to /ajax/kanban.php with a request body containing action=update, itemtype=User, and column_field=api_token — this pattern indicates an attempt to overwrite a target user's API token for account takeover.
  • The attack is performed by any authenticated (logged-in) user regardless of profile, so the presence of a valid session cookie does not rule out malicious activity — focus on the Kanban AJAX endpoint abuse pattern.
  • Snort/Suricata SID 2067163 (ET rule) covers this exploit; deploy with TLS inspection (SSLDecrypt/TLSDecrypt) enabled for full coverage as the rule metadata flags tls_state TLSDecrypt.
  • ·No workarounds exist; the only remediation is upgrading GLPI to version 10.0.10 or later.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.