KubePi vulnerable to session fixation attack
Description
KubePi versions <=1.6.3 are vulnerable to session fixation, allowing an attacker to hijack a legitimate user session.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
KubePi versions <=1.6.3 are vulnerable to session fixation, allowing an attacker to hijack a legitimate user session.
Vulnerability
Description KubePi, a modern Kubernetes panel, is susceptible to a session fixation vulnerability in versions 1.6.3 and below [1]. The root cause is that the application does not regenerate the session identifier upon successful login, allowing an attacker to pre-set a session ID and trick a victim into using it [2].
Attack
Vector An attacker can exploit this issue by first obtaining a valid session ID from KubePi, then luring an authenticated user to access the application with that same session ID. No authentication is required for the initial step, as the attacker can retrieve a session cookie without logging in [2]. Once the victim authenticates, the attacker can reuse the same session ID to gain unauthorized access.
Impact
Successful exploitation allows the attacker to hijack the victim's session and gain the same privileges as the authenticated user, potentially leading to full control over the Kubernetes clusters managed by KubePi [1].
Mitigation
The vulnerability is fixed in KubePi version 1.6.4, which includes a patch that clears any existing session cookie and generates a new session ID upon login [2][3]. Users are strongly advised to upgrade to this version or later. No workarounds are documented.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/KubeOperator/kubepiGo | < 1.6.4 | 1.6.4 |
Affected products
2- KubeOperator/KubePiv5Range: <= 1.6.3
Patches
11e9c550356c1fix: 解决登录之后 cookie 没有刷新的漏洞
3 files changed · +12 −11
internal/api/v1/session/profile.go+2 −2 modified@@ -7,7 +7,7 @@ import ( "github.com/kataras/iris/v12/context" ) -func (h Handler) UpdateProfile() iris.Handler { +func (h *Handler) UpdateProfile() iris.Handler { return func(ctx *context.Context) { var req ProfileSetter if err := ctx.ReadJSON(&req); err != nil { @@ -50,7 +50,7 @@ func (h Handler) UpdateProfile() iris.Handler { ctx.Values().Set("data", "ok") } } -func (h Handler) UpdatePassword() iris.Handler { +func (h *Handler) UpdatePassword() iris.Handler { return func(ctx *context.Context) { var pass PasswordSetter if err := ctx.ReadJSON(&pass); err != nil {
internal/api/v1/session/session.go+8 −7 modified@@ -76,11 +76,6 @@ func (h *Handler) IsLogin() iris.Handler { return } } else { - if err := session.Man.ShiftExpiration(ctx); err != nil { - ctx.StatusCode(iris.StatusInternalServerError) - ctx.Values().Set("message", fmt.Errorf("shift expiration falied, err: %v", err)) - return - } ctx.StatusCode(iris.StatusOK) ctx.Values().Set("data", loginUser != nil) } @@ -167,8 +162,14 @@ func (h *Handler) Login() iris.Handler { ctx.Values().Set("token", token) return default: - session := server.SessionMgr.Start(ctx) - session.Set("profile", profile) + sId := ctx.GetCookie(server.SessionCookieName) + if sId != "" { + ctx.RemoveCookie(server.SessionCookieName) + ctx.Request().Header.Del("Cookie") + } + sess := server.SessionMgr.Start(ctx) + ctx.SetCookieKV(server.SessionCookieName, sess.ID()) + sess.Set("profile", profile) } ctx.StatusCode(iris.StatusOK)
internal/server/server.go+2 −2 modified@@ -31,7 +31,7 @@ import ( "github.com/sirupsen/logrus" ) -const sessionCookieName = "SESS_COOKIE_KUBEPI" +const SessionCookieName = "SESS_COOKIE_KUBEPI" var SessionMgr *sessions.Sessions @@ -149,7 +149,7 @@ func (e *KubePiServer) setUpStaticFile() { } func (e *KubePiServer) setUpSession() { - SessionMgr = sessions.New(sessions.Config{Cookie: sessionCookieName, AllowReclaim: true, Expires: time.Duration(e.config.Spec.Session.Expires) * time.Hour}) + SessionMgr = sessions.New(sessions.Config{Cookie: SessionCookieName, AllowReclaim: true, Expires: time.Duration(e.config.Spec.Session.Expires) * time.Hour}) e.rootRoute.Use(SessionMgr.Handler()) }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-v4w5-r2xc-7f8hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-22479ghsaADVISORY
- github.com/1Panel-dev/KubePi/security/advisories/GHSA-v4w5-r2xc-7f8hghsaWEB
- github.com/KubeOperator/KubePi/commit/1e9c550356c1a425a742480efcf743d373e98dcbghsaWEB
- github.com/KubeOperator/KubePi/releases/tag/v1.6.4ghsaWEB
- github.com/KubeOperator/KubePi/security/advisories/GHSA-v4w5-r2xc-7f8hghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.