CWE-384
Session Fixation
Description
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-196 · CAPEC-21 · CAPEC-31 · CAPEC-39 · CAPEC-59 · CAPEC-60 · CAPEC-61
CVEs mapped to this weakness (205)
page 7 of 11| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-8609 | Low | 0.17 | 3.7 | 0.02 | Aug 1, 2018 | It was found that the keycloak before 2.3.0 did not implement authentication flow correctly. An attacker could use this flaw to construct a phishing URL, from which he could hijack the user's session. This could lead to information disclosure, or permit further possible attacks. | ||
| CVE-2026-34454 | Low | 0.16 | 3.5 | 0.00 | Apr 14, 2026 | OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout… | ||
| CVE-2016-9703 | Low | 0.16 | 2.4 | 0.00 | Feb 1, 2017 | IBM Security Identity Manager Virtual Appliance does not invalidate session tokens which could allow an unauthorized user with physical access to the work station to obtain sensitive information. | ||
| CVE-2021-36394 | 0.01 | — | 0.07 | Mar 6, 2023 | In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin. | |||
| CVE-2026-33757 | 0.00 | — | 0.00 | Mar 27, 2026 | OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and… | |||
| CVE-2026-33492 | 0.00 | — | 0.00 | Mar 23, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo's `_session_start()` function accepts arbitrary session IDs via the `PHPSESSID` GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific… | |||
| CVE-2026-30224 | 0.00 | — | 0.00 | Mar 6, 2026 | OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry… | |||
| CVE-2026-24894 | 0.00 | — | 0.00 | Feb 12, 2026 | FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the… | |||
| CVE-2025-65681 | 0.00 | — | 0.00 | Nov 26, 2025 | An issue was discovered in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper cache-control HTTP headers and client-side session checks. | |||
| CVE-2025-55668 | — | 0.00 | — | 0.01 | Aug 13, 2025 | Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to… | ||
| CVE-2025-53826 | 0.00 | — | 0.01 | Jul 15, 2025 | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.39.0, File Browser’s authentication system issues long-lived JWT tokens that remain valid even after the user logs… | |||
| CVE-2025-53021 | 0.00 | — | 0.00 | Jun 24, 2025 | A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being… | |||
| CVE-2025-46815 | 0.00 | — | 0.00 | May 6, 2025 | The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a… | |||
| CVE-2025-1412 | 0.00 | — | 0.00 | Feb 24, 2025 | Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot. | |||
| CVE-2024-52553 | 0.00 | — | 0.01 | Nov 13, 2024 | Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login. | |||
| CVE-2024-23590 | — | 0.00 | — | 0.01 | Nov 4, 2024 | Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through 4.x. Users are recommended to upgrade to version 5.0.0 or above, which fixes the issue. | ||
| CVE-2024-48929 | 0.00 | — | 0.00 | Oct 22, 2024 | Umbraco is a free and open source .NET content management system. In versions on the 13.x branch prior to 13.5.2 and versions on the 10.x branch prior to 10.8.7, during an explicit sign-out, the server session is not fully terminated. Versions 13.5.2 and 10.8.7 contain a patch… | |||
| CVE-2024-45596 | 0.00 | — | 0.01 | Sep 10, 2024 | Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that… | |||
| CVE-2024-7341 | 0.00 | — | 0.01 | Sep 9, 2024 | A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session… | |||
| CVE-2024-38513 | 0.00 | — | 0.01 | Jul 1, 2024 | Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a… |
- risk 0.17cvss 3.7epss 0.02
It was found that the keycloak before 2.3.0 did not implement authentication flow correctly. An attacker could use this flaw to construct a phishing URL, from which he could hijack the user's session. This could lead to information disclosure, or permit further possible attacks.
- risk 0.16cvss 3.5epss 0.00
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout…
- risk 0.16cvss 2.4epss 0.00
IBM Security Identity Manager Virtual Appliance does not invalidate session tokens which could allow an unauthorized user with physical access to the work station to obtain sensitive information.
- CVE-2021-36394Mar 6, 2023risk 0.01cvss —epss 0.07
In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.
- CVE-2026-33757Mar 27, 2026risk 0.00cvss —epss 0.00
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and…
- CVE-2026-33492Mar 23, 2026risk 0.00cvss —epss 0.00
WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo's `_session_start()` function accepts arbitrary session IDs via the `PHPSESSID` GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific…
- CVE-2026-30224Mar 6, 2026risk 0.00cvss —epss 0.00
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry…
- CVE-2026-24894Feb 12, 2026risk 0.00cvss —epss 0.00
FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the…
- CVE-2025-65681Nov 26, 2025risk 0.00cvss —epss 0.00
An issue was discovered in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper cache-control HTTP headers and client-side session checks.
- CVE-2025-55668Aug 13, 2025risk 0.00cvss —epss 0.01
Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to…
- CVE-2025-53826Jul 15, 2025risk 0.00cvss —epss 0.01
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.39.0, File Browser’s authentication system issues long-lived JWT tokens that remain valid even after the user logs…
- CVE-2025-53021Jun 24, 2025risk 0.00cvss —epss 0.00
A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being…
- CVE-2025-46815May 6, 2025risk 0.00cvss —epss 0.00
The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a…
- CVE-2025-1412Feb 24, 2025risk 0.00cvss —epss 0.00
Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot.
- CVE-2024-52553Nov 13, 2024risk 0.00cvss —epss 0.01
Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login.
- CVE-2024-23590Nov 4, 2024risk 0.00cvss —epss 0.01
Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through 4.x. Users are recommended to upgrade to version 5.0.0 or above, which fixes the issue.
- CVE-2024-48929Oct 22, 2024risk 0.00cvss —epss 0.00
Umbraco is a free and open source .NET content management system. In versions on the 13.x branch prior to 13.5.2 and versions on the 10.x branch prior to 10.8.7, during an explicit sign-out, the server session is not fully terminated. Versions 13.5.2 and 10.8.7 contain a patch…
- CVE-2024-45596Sep 10, 2024risk 0.00cvss —epss 0.01
Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that…
- CVE-2024-7341Sep 9, 2024risk 0.00cvss —epss 0.01
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session…
- CVE-2024-38513Jul 1, 2024risk 0.00cvss —epss 0.01
Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a…