CVE-2018-1340
Description
Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage of the user's session token. This cookie lacked the "secure" flag, which could allow an attacker eavesdropping on the network to intercept the user's session token if unencrypted HTTP requests are made to the same domain.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Guacamole prior to 1.0.0 stores session token in a cookie without the secure flag, allowing network eavesdroppers to intercept it over unencrypted HTTP.
Vulnerability
Apache Guacamole versions prior to 1.0.0 store the user's session token in a cookie that lacks the secure flag [1]. This means the cookie can be transmitted over unencrypted HTTP connections if any HTTP requests are made to the same domain, exposing the token to network eavesdropping.
Exploitation
An attacker must be able to eavesdrop on network traffic between the client and the server, such as by being on the same local network or performing a man-in-the-middle attack. When the client makes an unencrypted HTTP request to the Guacamole domain, the attacker can capture the cookie containing the session token.
Impact
Successful exploitation allows the attacker to obtain the user's session token, enabling session hijacking. The attacker can then impersonate the victim and gain unauthorized access to the Apache Guacamole instance with the victim's privileges.
Mitigation
The vulnerability is fixed in Apache Guacamole version 1.0.0 [1]. Users should upgrade to this version or later. No workarounds are documented, and this CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.guacamole:guacamole-commonMaven | < 1.0.0 | 1.0.0 |
Affected products
3- Apache Software Foundation/Apache Guacamolev5Range: Apache Guacamole 0.9.4 to 0.9.14
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-wr7r-vg3c-54r5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1340ghsaADVISORY
- www.securityfocus.com/bid/106768ghsavdb-entryx_refsource_BIDWEB
- lists.apache.org/thread.html/af1632e13dd9acf7537546660cae9143cbb10fdd2f9bb0832a690979%40%3Cannounce.guacamole.apache.org%3Emitrex_refsource_MISC
- lists.apache.org/thread.html/af1632e13dd9acf7537546660cae9143cbb10fdd2f9bb0832a690979@%3Cannounce.guacamole.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.