VYPR
← All advisories
Low severity3.7NVD Advisory· Published Jun 11, 2026· Updated Jun 11, 2026

CVE-2026-11956

CVE-2026-11956

Description

Gatus 5.36.0 OIDC session cookie lacks HttpOnly and Secure flags, exposing session IDs to JavaScript and plaintext HTTP.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Gatus 5.36.0 OIDC session cookie lacks HttpOnly and Secure flags, exposing session IDs to JavaScript and plaintext HTTP.

Vulnerability

The vulnerability resides in the setSessionCookie function in security/oidc.go (lines 139–150) of TwiN gatus version 5.36.0. The OIDC session cookie is set without the HttpOnly and Secure flags, unlike the temporary state and nonce cookies which explicitly set HTTPOnly: true. This inconsistency makes the session cookie accessible to client-side scripts and transmittable over unencrypted HTTP connections [2].

Exploitation

An attacker must either be on the same network as a Gatus instance deployed over plain HTTP (common for internal monitoring tools) or be able to execute arbitrary JavaScript in the Gatus origin (e.g., via a cross-site scripting vulnerability). In the first scenario, the attacker can passively intercept a login request and capture the session cookie from the cleartext HTTP traffic. In the second, JavaScript can read document.cookie to extract the session ID. The attack is characterized by high complexity due to the prerequisite of either network interception or an XSS flaw [2].

Impact

Successful exploitation yields the attacker the OIDC session cookie, which is the sole credential required to access protected dashboard endpoints (e.g., /v1/endpoints/statuses). With the session ID, the attacker can impersonate the authenticated user, gaining full access to the monitoring dashboard and its data. The default session TTL is 8 hours, providing a substantial window for abuse. The impact is a breach of confidentiality and potential unauthorized access to sensitive service status information [2].

Mitigation

As of the publication date, no official fix has been released; the GitHub issue was closed with the label "not planned" [2]. Until a patch is provided, administrators should ensure Gatus is deployed exclusively over HTTPS to prevent network-level interception. Additionally, any cross-site scripting vulnerabilities in the deployment must be eliminated to prevent client-side cookie theft. As a workaround, users can manually modify the setSessionCookie function to add HttpOnly: true and Secure: true flags to the cookie definition [2].

References
  1. [Security] OIDC Session Cookie Missing HttpOnly and Secure Flags

AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Twin/Gatusreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: =5.36.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The setSessionCookie function in security/oidc.go creates a session cookie without setting the Secure attribute, allowing the cookie to be transmitted over unencrypted HTTP connections."

Attack vector

An attacker with network access can intercept the OIDC session cookie if the application is served over HTTP or if a man-in-the-middle position exists, because the cookie lacks the `Secure` flag [ref_id=1]. The attack requires high complexity due to the need for the attacker to be on the same network path and for the cookie to be transmitted over an unencrypted connection. The CVSS vector confirms the attack vector is network-based with high attack complexity [CWE-614].

Affected code

The vulnerability resides in the `setSessionCookie` function within `security/oidc.go`. This function creates a session cookie for the OIDC authentication flow but does not set the `Secure` flag on the cookie, leaving it without the secure attribute.

What the fix does

The advisory does not include a published patch; the GitHub issue was closed with the label 'not planned', indicating the maintainers decided not to fix this vulnerability. To remediate, the `setSessionCookie` function should set the `Secure` flag on the session cookie to ensure it is only transmitted over HTTPS connections, preventing interception over unencrypted channels.

Preconditions

  • networkThe Gatus instance must be accessible over HTTP or the attacker must be able to perform a man-in-the-middle attack on the network path.
  • inputThe attacker must be able to intercept HTTP traffic between the user and the Gatus server.

Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.