Critical severity9.1NVD Advisory· Published May 6, 2026· Updated May 7, 2026

CVE-2026-40010

Description

Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket.

This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0.

Users are recommended to upgrade to version 10.9.0, which fixes the issue.

Affected products

Apache/Wicketinferred2 versions
>=8.0.0,<=8.17.0, =9.0.0, >=10.0.0,<=10.8.0+ 1 more
- (no CPE)range: >=8.0.0,<=8.17.0, =9.0.0, >=10.0.0,<=10.8.0
- cpe:2.3:a:apache:wicket:*:*:*:*:*:*:*:*range: >=8.0.0,<=8.17.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2026/05/06/1nvdMailing ListThird Party Advisory
github.com/advisories/GHSA-qpjw-p3jg-59j6ghsaADVISORY
lists.apache.org/thread/61wsc0xdtfd5oozojfx7by9w3jwgkmv1nvdVendor Advisory
nvd.nist.gov/vuln/detail/CVE-2026-40010ghsa

News mentions

No linked articles in our index yet.

cvss	0.591
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000