CWE-384
Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
CVE-2026-31940 (GCVE-0-2026-31940)
Vulnerability from cvelistv5 – Published: 2026-04-10 17:35 – Updated: 2026-04-14 14:12
VLAI
Title
Session Fixation in Chamilo LMS
Summary
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-384 - Session Fixation
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/chamilo/chamilo-lms/security/a… | x_refsource_CONFIRM |
| https://github.com/chamilo/chamilo-lms/commit/ce0… | x_refsource_MISC |
| https://github.com/chamilo/chamilo-lms/commit/e33… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 1.11.38
Affected: >= 2.0.0-alpha.1, < 2.0.0-RC.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31940",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T14:12:20.377261Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T14:12:28.550Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.38"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-alpha.1, \u003c 2.0.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T17:35:10.661Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-4gp7-cfjh-77gv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-4gp7-cfjh-77gv"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/ce0192c62e48c9d9474d915c541b3274844afbf9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/ce0192c62e48c9d9474d915c541b3274844afbf9"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/e337b7cc74a0276a0b4f91f9282204d20cac1869",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/e337b7cc74a0276a0b4f91f9282204d20cac1869"
}
],
"source": {
"advisory": "GHSA-4gp7-cfjh-77gv",
"discovery": "UNKNOWN"
},
"title": "Session Fixation in Chamilo LMS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31940",
"datePublished": "2026-04-10T17:35:10.661Z",
"dateReserved": "2026-03-10T15:10:10.655Z",
"dateUpdated": "2026-04-14T14:12:28.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33384 (GCVE-0-2026-33384)
Vulnerability from cvelistv5 – Published: 2026-05-29 15:12 – Updated: 2026-05-29 17:31
VLAI
Title
Session Fixation in QuickCMS
Summary
QuickCMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID
for a victim and later hijack the authenticated session.
This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-384 - Session Fixation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://cert.pl/posts/2026/05/CVE-2026-33384/ | third-party-advisory |
| https://opensolution.org/home.html | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OpenSolution | QuickCMS |
Affected:
0 , ≤ 6.8
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T17:31:45.627313Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T17:31:52.144Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "QuickCMS",
"vendor": "OpenSolution",
"versions": [
{
"lessThanOrEqual": "6.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jakub Lipi\u0144ski"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eQuickCMS allows a user\u0027s session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID\nfor a victim and later hijack the authenticated session.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eThis issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable.\u003cbr\u003e"
}
],
"value": "QuickCMS allows a user\u0027s session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID\nfor a victim and later hijack the authenticated session.\n\nThis issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable."
}
],
"impacts": [
{
"capecId": "CAPEC-61",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-61 Session Fixation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384 Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T15:12:14.339Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2026/05/CVE-2026-33384/"
},
{
"tags": [
"product"
],
"url": "https://opensolution.org/home.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Session Fixation in QuickCMS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2026-33384",
"datePublished": "2026-05-29T15:12:14.339Z",
"dateReserved": "2026-03-19T10:45:47.735Z",
"dateUpdated": "2026-05-29T17:31:52.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33492 (GCVE-0-2026-33492)
Vulnerability from cvelistv5 – Published: 2026-03-23 15:25 – Updated: 2026-03-23 15:40
VLAI
Title
AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration
Summary
WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo's `_session_start()` function accepts arbitrary session IDs via the `PHPSESSID` GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints when the request originates from the same domain. Combined with the explicitly disabled session regeneration in `User::login()`, this allows a classic session fixation attack where an attacker can fix a victim's session ID before authentication and then hijack the authenticated session. Commit 5647a94d79bf69a972a86653fe02144079948785 contains a patch.
Severity
7.3 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-384 - Session Fixation
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/WWBN/AVideo/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/WWBN/AVideo/commit/5647a94d79b… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33492",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T15:40:34.799115Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T15:40:38.783Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-x3pr-vrhq-vq43"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AVideo",
"vendor": "WWBN",
"versions": [
{
"status": "affected",
"version": "\u003c= 26.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo\u0027s `_session_start()` function accepts arbitrary session IDs via the `PHPSESSID` GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints when the request originates from the same domain. Combined with the explicitly disabled session regeneration in `User::login()`, this allows a classic session fixation attack where an attacker can fix a victim\u0027s session ID before authentication and then hijack the authenticated session. Commit 5647a94d79bf69a972a86653fe02144079948785 contains a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T15:25:27.288Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-x3pr-vrhq-vq43",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-x3pr-vrhq-vq43"
},
{
"name": "https://github.com/WWBN/AVideo/commit/5647a94d79bf69a972a86653fe02144079948785",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/WWBN/AVideo/commit/5647a94d79bf69a972a86653fe02144079948785"
}
],
"source": {
"advisory": "GHSA-x3pr-vrhq-vq43",
"discovery": "UNKNOWN"
},
"title": "AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33492",
"datePublished": "2026-03-23T15:25:27.288Z",
"dateReserved": "2026-03-20T16:16:48.971Z",
"dateUpdated": "2026-03-23T15:40:38.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33757 (GCVE-0-2026-33757)
Vulnerability from cvelistv5 – Published: 2026-03-27 14:10 – Updated: 2026-04-01 03:55
VLAI
Title
OpenBao lacks user confirmation for OIDC direct callback mode
Summary
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the `direct` mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued. Version 2.5.2 includes an additional confirmation screen for `direct` type logins that requires manual user interaction in order to finish the authentication. This issue can be worked around either by removing any roles with `callback_mode=direct` or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao.
Severity
9.6 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-384 - Session Fixation
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/openbao/openbao/security/advis… | x_refsource_CONFIRM |
| https://github.com/openbao/openbao/commit/e321039… | x_refsource_MISC |
| https://datatracker.ietf.org/doc/html/rfc8628#sec… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33757",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T03:55:23.497Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openbao",
"vendor": "openbao",
"versions": [
{
"status": "affected",
"version": "\u003c 2.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and perform \"remote phishing\" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the `direct` mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued. Version 2.5.2 includes an additional confirmation screen for `direct` type logins that requires manual user interaction in order to finish the authentication. This issue can be worked around either by removing any roles with `callback_mode=direct` or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T14:10:58.639Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openbao/openbao/security/advisories/GHSA-7q7g-x6vg-xpc3"
},
{
"name": "https://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openbao/openbao/commit/e32103951925723e9787e33886ab6b6ec20f4964"
},
{
"name": "https://datatracker.ietf.org/doc/html/rfc8628#section-5.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://datatracker.ietf.org/doc/html/rfc8628#section-5.4"
}
],
"source": {
"advisory": "GHSA-7q7g-x6vg-xpc3",
"discovery": "UNKNOWN"
},
"title": "OpenBao lacks user confirmation for OIDC direct callback mode"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33757",
"datePublished": "2026-03-27T14:10:58.639Z",
"dateReserved": "2026-03-23T18:30:14.125Z",
"dateUpdated": "2026-04-01T03:55:23.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33946 (GCVE-0-2026-33946)
Vulnerability from cvelistv5 – Published: 2026-03-27 21:20 – Updated: 2026-03-30 18:42
VLAI
Title
MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay
Summary
MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamable_http_transport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's Server-Sent Events (SSE) stream and intercept all real-time data. Version 0.9.2 contains a patch.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://github.com/modelcontextprotocol/ruby-sdk/… | x_refsource_CONFIRM |
| https://github.com/modelcontextprotocol/ruby-sdk/… | x_refsource_MISC |
| https://hackerone.com/reports/3556146 | x_refsource_MISC |
| https://github.com/modelcontextprotocol/csharp-sd… | x_refsource_MISC |
| https://github.com/modelcontextprotocol/go-sdk/bl… | x_refsource_MISC |
| https://github.com/modelcontextprotocol/python-sd… | x_refsource_MISC |
| https://github.com/modelcontextprotocol/ruby-sdk/… | x_refsource_MISC |
| https://github.com/modelcontextprotocol/ruby-sdk/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| modelcontextprotocol | ruby-sdk |
Affected:
< 0.9.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33946",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-30T18:42:40.211983Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T18:42:43.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ruby-sdk",
"vendor": "modelcontextprotocol",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK\u0027s streamable_http_transport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim\u0027s Server-Sent Events (SSE) stream and intercept all real-time data. Version 0.9.2 contains a patch."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T21:20:07.900Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35"
},
{
"name": "https://github.com/modelcontextprotocol/ruby-sdk/commit/db40143402d65b4fb6923cec42d2d72cb89b3874",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/modelcontextprotocol/ruby-sdk/commit/db40143402d65b4fb6923cec42d2d72cb89b3874"
},
{
"name": "https://hackerone.com/reports/3556146",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3556146"
},
{
"name": "https://github.com/modelcontextprotocol/csharp-sdk/blob/main/src/ModelContextProtocol.AspNetCore/SseHandler.cs#L93-L97",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/modelcontextprotocol/csharp-sdk/blob/main/src/ModelContextProtocol.AspNetCore/SseHandler.cs#L93-L97"
},
{
"name": "https://github.com/modelcontextprotocol/go-sdk/blob/main/mcp/streamable.go#L281C1-L288C2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/modelcontextprotocol/go-sdk/blob/main/mcp/streamable.go#L281C1-L288C2"
},
{
"name": "https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py#L680-L685",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py#L680-L685"
},
{
"name": "https://github.com/modelcontextprotocol/ruby-sdk/blob/main/examples/streamable_http_server.rb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/modelcontextprotocol/ruby-sdk/blob/main/examples/streamable_http_server.rb"
},
{
"name": "https://github.com/modelcontextprotocol/ruby-sdk/releases/tag/v0.9.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/modelcontextprotocol/ruby-sdk/releases/tag/v0.9.2"
}
],
"source": {
"advisory": "GHSA-qvqr-5cv7-wh35",
"discovery": "UNKNOWN"
},
"title": "MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33946",
"datePublished": "2026-03-27T21:20:07.900Z",
"dateReserved": "2026-03-24T19:50:52.105Z",
"dateUpdated": "2026-03-30T18:42:43.387Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34454 (GCVE-0-2026-34454)
Vulnerability from cvelistv5 – Published: 2026-04-14 22:10 – Updated: 2026-04-15 13:30
VLAI
Title
OAuth2 Proxy: Session cookie not cleared when rendering sign-in page
Summary
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/oauth2-proxy/oauth2-proxy/secu… | x_refsource_CONFIRM |
| https://github.com/oauth2-proxy/oauth2-proxy/rele… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| oauth2-proxy | oauth2-proxy |
Affected:
>= 7.11.0, < 7.15.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34454",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T13:30:00.521921Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T13:30:10.300Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "oauth2-proxy",
"vendor": "oauth2-proxy",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.11.0, \u003c 7.15.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user\u0027s authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T22:14:00.972Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-f24x-5g9q-753f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-f24x-5g9q-753f"
},
{
"name": "https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2"
}
],
"source": {
"advisory": "GHSA-f24x-5g9q-753f",
"discovery": "UNKNOWN"
},
"title": "OAuth2 Proxy: Session cookie not cleared when rendering sign-in page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34454",
"datePublished": "2026-04-14T22:10:37.901Z",
"dateReserved": "2026-03-27T18:18:14.895Z",
"dateUpdated": "2026-04-15T13:30:10.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41613 (GCVE-0-2026-41613)
Vulnerability from cvelistv5 – Published: 2026-05-12 16:59 – Updated: 2026-06-09 19:33
VLAI
Title
Visual Studio Code Elevation of Privilege Vulnerability
Summary
Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | vendor-advisorypatch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Visual Studio Code |
Affected:
1.0.0 , < 1.119.1
(custom)
|
Date Public
2026-05-12 14:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41613",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T03:57:22.196Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Visual Studio Code",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "1.119.1",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:visual_studio_code:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.119.1",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2026-05-12T14:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en-US",
"type": "CWE"
},
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T19:33:40.875Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Visual Studio Code Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41613"
}
],
"title": "Visual Studio Code Elevation of Privilege Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2026-41613",
"datePublished": "2026-05-12T16:59:32.826Z",
"dateReserved": "2026-04-21T22:14:12.924Z",
"dateUpdated": "2026-06-09T19:33:40.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41839 (GCVE-0-2026-41839)
Vulnerability from cvelistv5 – Published: 2026-06-09 03:49 – Updated: 2026-06-09 13:30
VLAI
Title
Spring Framework Escalation via Session Fixation in WebFlux
Summary
A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user.
Affected versions:
Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.
Severity
4.2 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-384 - Session Fixation
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Spring | Spring Framework |
Affected:
7.0.0 , < 7.0.8
(custom)
Affected: 6.2.0 , < 6.2.19 (custom) Affected: 6.1.0 , < 6.1.28 (custom) Affected: 5.3.0 , < 5.3.49 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41839",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T13:30:25.839375Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T13:30:34.473Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring Framework",
"vendor": "Spring",
"versions": [
{
"lessThan": "7.0.8",
"status": "affected",
"version": "7.0.0",
"versionType": "custom"
},
{
"lessThan": "6.2.19",
"status": "affected",
"version": "6.2.0",
"versionType": "custom"
},
{
"lessThan": "6.1.28",
"status": "affected",
"version": "6.1.0",
"versionType": "custom"
},
{
"lessThan": "5.3.49",
"status": "affected",
"version": "5.3.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user.\n\nAffected versions:\nSpring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48."
}
],
"value": "A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user.\n\nAffected versions:\nSpring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A WebFlux application with a compromised subdomain is vulnerable to a session fixation escalation attack that allows an attacker to exchange a known session ID for that of an authenticated user."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T03:49:52.381Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-41839"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Spring Framework Escalation via Session Fixation in WebFlux",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-41839",
"datePublished": "2026-06-09T03:49:52.381Z",
"dateReserved": "2026-04-22T06:22:01.123Z",
"dateUpdated": "2026-06-09T13:30:34.473Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-43827 (GCVE-0-2026-43827)
Vulnerability from cvelistv5 – Published: 2026-05-25 20:19 – Updated: 2026-05-26 12:39
VLAI
Title
Apache Shiro: Session fixation: new session is not created after login by default
Summary
Default configurations of Apache Shiro have a session fixation vulnerability.
This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.
Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.
In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-384 - Session Fixation
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Shiro |
Affected:
1.0 , ≤ 2.1.0
(semver)
Affected: 3.0.0-alpha-0 , ≤ 3.0.0-alpha-1 (semver) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-25T21:26:12.053Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/25/6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-43827",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T12:39:33.503346Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T12:39:39.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.shiro:shiro-core",
"product": "Apache Shiro",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "3.0.0-alpha-1",
"status": "affected",
"version": "3.0.0-alpha-0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rasmus Moorats \u003cxx@nns.ee\u003e"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Lenny Primak \u003clenny@flowlogix.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eDefault configurations of Apache Shiro have a s\u003c/span\u003eession fixation vulnerability.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.\u003c/p\u003eIn the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Default configurations of Apache Shiro have a session fixation vulnerability.\n\nThis issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.\n\nUsers are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.\n\nIn the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "USER",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "AMBER",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/AU:Y/R:U/RE:L/U:Amber",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "LOW"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384 Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T20:19:03.428Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://shiro.apache.org/security-reports.html#cve_2026_43827"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Shiro: Session fixation: new session is not created after login by default",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-43827",
"datePublished": "2026-05-25T20:19:03.428Z",
"dateReserved": "2026-05-02T22:26:19.626Z",
"dateUpdated": "2026-05-26T12:39:39.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45773 (GCVE-0-2026-45773)
Vulnerability from cvelistv5 – Published: 2026-05-15 15:51 – Updated: 2026-05-15 16:45
VLAI
Title
Turborepo: Login callback CSRF/session fixation
Summary
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the legitimate callback, the CLI could complete login with the wrong credentials. This affects users authenticating the turbo CLI against self-hosted remote cache/auth endpoints. Vercel-hosted login flows using device authorization are not affected. This vulnerability is fixed in 2.9.14.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/vercel/turborepo/security/advi… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45773",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-15T16:44:57.841414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T16:45:06.076Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "turborepo",
"vendor": "vercel",
"versions": [
{
"status": "affected",
"version": "\u003c 2.9.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo\u0027s self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the legitimate callback, the CLI could complete login with the wrong credentials. This affects users authenticating the turbo CLI against self-hosted remote cache/auth endpoints. Vercel-hosted login flows using device authorization are not affected. This vulnerability is fixed in 2.9.14."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T15:51:38.066Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vercel/turborepo/security/advisories/GHSA-hcf7-66rw-9f5r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vercel/turborepo/security/advisories/GHSA-hcf7-66rw-9f5r"
}
],
"source": {
"advisory": "GHSA-hcf7-66rw-9f5r",
"discovery": "UNKNOWN"
},
"title": "Turborepo: Login callback CSRF/session fixation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45773",
"datePublished": "2026-05-15T15:51:38.066Z",
"dateReserved": "2026-05-13T07:45:21.251Z",
"dateUpdated": "2026-05-15T16:45:06.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Invalidate any existing session identifiers prior to authorizing a new user session.
Mitigation
Phase: Architecture and Design
Description:
- For platforms such as ASP that do not generate new values for sessionid cookies, utilize a secondary cookie. In this approach, set a secondary cookie on the user's browser to a random value and set a session variable to the same value. If the session variable and the cookie value ever don't match, invalidate the session, and force the user to log on again.
Mitigation ID: MIT-29
Phase: Operation
Strategy: Firewall
Description:
- Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-196: Session Credential Falsification through Forging
An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials.
CAPEC-21: Exploitation of Trusted Identifiers
An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.
CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies
This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.
CAPEC-39: Manipulating Opaque Client-based Data Tokens
In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
CAPEC-60: Reusing Session IDs (aka Session Replay)
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
CAPEC-61: Session Fixation
The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.