CVE-2018-9026
Description
A session fixation vulnerability in CA Privileged Access Manager 2.x allows remote attackers to hijack user sessions with a specially crafted request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CA Privileged Access Manager 2.x is vulnerable to session fixation, allowing remote attackers to hijack user sessions via a specially crafted request.
Vulnerability
A session fixation vulnerability exists in CA Privileged Access Manager (formerly Xceedium Xsuite) version 2.x. The issue arises from insecure handling of user sessions in multiple scripts, which allows a remote attacker to fixate a session identifier before authentication. The attacker must craft a specially crafted request to set the session ID and then persuade an authenticated user to use that same session ID, enabling the attacker to hijack the user's session after login. Affected versions include all 2.x releases of the CA Privileged Access Manager [1].
Exploitation
To exploit this vulnerability, an attacker needs network access to the CA Privileged Access Manager interface. The attacker first crafts a request that sets a known session ID (e.g., via a URL parameter or form variable) and delivers this to the target user (e.g., via a phishing link). When the user authenticates with the application, the session ID remains the same as the one fixed by the attacker. The attacker can then use the same session ID to impersonate the user, gaining access to the user's authenticated session without needing the user's credentials [1].
Impact
Successful exploitation allows the attacker to hijack an active user session, leading to unauthorized access to the Privileged Access Manager web interface with the victim's privileges. This could result in disclosure of sensitive data, unauthorized configuration changes, or further compromise of managed systems, depending on the victim's role. The vulnerability has a CVSSv3 base score of 6.5 (Medium), reflecting the requirement for user interaction to achieve session fixation [1].
Mitigation
CA Technologies released a security notice on June 14, 2018, advising customers to apply the vendor-provided patches. The fix for CVE-2018-9026 is included in the latest version of CA Privileged Access Manager. Users should upgrade to the patched version as soon as possible to mitigate the session fixation risk. No workaround is mentioned in the advisory, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 2.x
- CA Technologies/CA Privileged Access Managerv5Range: 2.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.securityfocus.com/bid/104496mitrevdb-entryx_refsource_BID
- support.ca.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.htmlmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.