CVE-2026-23489 in fields
Summary
by MITRE • 03/16/2026
Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been patched in version 1.23.3.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified as CVE-2026-23489 affects the Fields plugin for GLPI, a widely-used open-source IT asset management platform. This issue represents a critical security flaw that enables unauthorized code execution through a privilege escalation vector. The vulnerability specifically targets versions prior to 1.23.3 of the Fields plugin, which is designed to extend GLPI's functionality by allowing administrators to add custom fields to various items within the system's forms. The flaw manifests when users who possess permissions to create dropdowns can manipulate the plugin's processing logic to execute arbitrary PHP code on the server.
The technical nature of this vulnerability stems from insufficient input validation and sanitization within the Fields plugin's dropdown creation functionality. When users with dropdown creation privileges submit data through the plugin's interface, the system fails to properly validate or escape user-supplied input before processing it within the PHP execution context. This lack of proper sanitization creates an environment where malicious input can be interpreted and executed as PHP code, effectively allowing attackers to gain remote code execution capabilities on the GLPI server. The vulnerability directly maps to CWE-94, which describes "Improper Control of Generation of Code ('Code Injection')" and falls under the broader category of code injection flaws that have been consistently documented in security frameworks and attack methodologies.
The operational impact of this vulnerability is severe and far-reaching within organizations that rely on GLPI for their IT management operations. An attacker who successfully exploits this vulnerability could execute arbitrary commands on the GLPI server, potentially leading to complete system compromise. This includes the ability to escalate privileges, access sensitive data, modify or delete information, and establish persistent access through backdoors or additional malicious payloads. The attack surface is particularly concerning because the privilege required to exploit this vulnerability - the ability to create dropdowns - is often granted to users who may not have full administrative access, making the attack vector more accessible than typical privilege escalation scenarios.
Organizations utilizing GLPI with the Fields plugin must immediately implement mitigation strategies to protect their systems from potential exploitation. The primary and recommended solution is to upgrade to version 1.23.3 or later, which contains the necessary patches to address the input validation and sanitization issues. Additionally, system administrators should implement network-level restrictions to limit access to the Fields plugin functionality to only trusted users with legitimate business requirements. The principle of least privilege should be strictly enforced, ensuring that users who can create dropdowns have minimal necessary permissions and are subject to regular access reviews. Security monitoring should be enhanced to detect unusual activity patterns related to dropdown creation and form modifications, as these actions may indicate attempted exploitation. From an ATT&CK framework perspective, this vulnerability maps to techniques involving code injection and privilege escalation, specifically targeting the execution and persistence phases of the attack lifecycle. Organizations should also consider implementing web application firewalls and input validation rules to provide additional defense-in-depth measures against similar vulnerabilities that may exist in other components of their IT management infrastructure.