CWE-488
AllowedExposure of Data Element to Wrong Session
Abstraction: Base · Status: Draft
The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.
50 vulnerabilities reference this CWE, most recent first.
GHSA-7W6R-748W-MH52
Vulnerability from github – Published: 2025-01-09 09:31 – Updated: 2025-02-06 19:50A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user's session if multiple connection attempts occur simultaneously.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pgadmin4"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-1907"
],
"database_specific": {
"cwe_ids": [
"CWE-276",
"CWE-488"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-09T17:34:19Z",
"nvd_published_at": "2025-01-09T08:15:24Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user\u0027s session if multiple connection attempts occur simultaneously.",
"id": "GHSA-7w6r-748w-mh52",
"modified": "2025-02-06T19:50:22Z",
"published": "2025-01-09T09:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1907"
},
{
"type": "WEB",
"url": "https://github.com/pgadmin-org/pgadmin4/issues/6100"
},
{
"type": "WEB",
"url": "https://github.com/pgadmin-org/pgadmin4/commit/fa29ba91632634d961f937ce3ed2c3b5a9d78f59"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-1907"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218384"
},
{
"type": "PACKAGE",
"url": "https://github.com/pgadmin-org/pgadmin4"
},
{
"type": "WEB",
"url": "https://github.com/pgadmin-org/pgadmin4/blob/a9974b418c49760d3989b7fb25e052ff16b89ac6/docs/en_US/release_notes_7_0.rst"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "pgAdmin has Incorrect Default Permissions"
}
GHSA-82VP-JR39-4J2J
Vulnerability from github – Published: 2024-05-30 18:22 – Updated: 2024-05-30 18:22It has been discovered session data of properly authenticated and logged in frontend users is kept and transformed into an anonymous user session during the logout process. This way the next user using the same client application gains access to previous session data.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.7.27"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.5.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-488"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-30T18:22:41Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "It has been discovered session data of properly authenticated and logged in frontend users is kept and transformed into an anonymous user session during the logout process. This way the next user using the same client application gains access to previous session data.",
"id": "GHSA-82vp-jr39-4j2j",
"modified": "2024-05-30T18:22:41Z",
"published": "2024-05-30T18:22:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/TYPO3-CMS/core/commit/c8c08ca0c26db02753c243e175a8a045628341b6"
},
{
"type": "WEB",
"url": "https://github.com/TYPO3-CMS/core/commit/fe43834075ae283c8cd91949e9f1dfd18b2d492f"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/2019-06-25-3.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/TYPO3-CMS/core"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-core-sa-2019-018"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "TYPO3 Security Misconfiguration in Frontend Session Handling"
}
GHSA-9442-GM4V-R222
Vulnerability from github – Published: 2024-06-20 15:31 – Updated: 2026-02-27 21:38A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "io.undertow:undertow-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0.Alpha1"
},
{
"fixed": "2.3.14.Final"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "io.undertow:undertow-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.33.Final"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-6162"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-488"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-20T16:22:33Z",
"nvd_published_at": "2024-06-20T15:15:50Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as \"404 Not Found\" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.",
"id": "GHSA-9442-gm4v-r222",
"modified": "2026-02-27T21:38:27Z",
"published": "2024-06-20T15:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6162"
},
{
"type": "WEB",
"url": "https://github.com/undertow-io/undertow/pull/1612"
},
{
"type": "WEB",
"url": "https://github.com/undertow-io/undertow/commit/90f202ada89b6d9883beed0f1fe10c99d470d9a8"
},
{
"type": "WEB",
"url": "https://github.com/undertow-io/undertow/commit/a28ac53076e2fa532266d25e0c0b1a01d0e9d2cf"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1194"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:4386"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:4884"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-6162"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293069"
},
{
"type": "PACKAGE",
"url": "https://github.com/undertow-io/undertow"
},
{
"type": "WEB",
"url": "https://github.com/undertow-io/undertow/releases/tag/2.2.33.Final"
},
{
"type": "WEB",
"url": "https://github.com/undertow-io/undertow/releases/tag/2.3.14.Final"
},
{
"type": "WEB",
"url": "https://issues.redhat.com/browse/JBEAP-26268"
},
{
"type": "WEB",
"url": "https://issues.redhat.com/browse/UNDERTOW-2334"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20241129-0009"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Undertow\u0027s url-encoded request path information can be broken on ajp-listener"
}
GHSA-947M-JHCV-94RP
Vulnerability from github – Published: 2024-10-10 09:30 – Updated: 2024-10-10 09:30In version v0.3.8 of open-webui/open-webui, a vulnerability exists where a token is returned when a user with a pending role logs in. This allows the user to perform actions without admin confirmation, bypassing the intended approval process.
{
"affected": [],
"aliases": [
"CVE-2024-7049"
],
"database_specific": {
"cwe_ids": [
"CWE-488"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-10T08:15:03Z",
"severity": "MODERATE"
},
"details": "In version v0.3.8 of open-webui/open-webui, a vulnerability exists where a token is returned when a user with a pending role logs in. This allows the user to perform actions without admin confirmation, bypassing the intended approval process.",
"id": "GHSA-947m-jhcv-94rp",
"modified": "2024-10-10T09:30:35Z",
"published": "2024-10-10T09:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7049"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/ee9e3532-8ef1-4599-bb59-b8e2ba43a1fc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-97G8-XFVW-Q4HG
Vulnerability from github – Published: 2022-12-13 19:44 – Updated: 2023-09-20 22:30An issue was discovered in Keycloak when using a client with the offline_access scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user.
This issue most affects users of shared computers. Suppose a user logs out of their account (without clearing their cookies) in a mobile app or similar client that includes the offline_access scope, and another user authenticates to the application. In that case, it will share the same root session id, and when utilizing the refresh token, they will be issued a token for the original user.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 19.0.2"
},
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-parent"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "20.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-3916"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-304",
"CWE-488",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-13T19:44:33Z",
"nvd_published_at": "2023-09-20T15:15:11Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Keycloak when using a client with the `offline_access` scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user.\n\nThis issue most affects users of shared computers. Suppose a user logs out of their account (without clearing their cookies) in a mobile app or similar client that includes the `offline_access` scope, and another user authenticates to the application. In that case, it will share the same root session id, and when utilizing the refresh token, they will be issued a token for the original user.",
"id": "GHSA-97g8-xfvw-q4hg",
"modified": "2023-09-20T22:30:19Z",
"published": "2022-12-13T19:44:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-97g8-xfvw-q4hg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:8961"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:8962"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:8963"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:8964"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2022:8965"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:1043"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:1044"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:1045"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:1047"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:1049"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-3916"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak vulnerable to session takeover with OIDC offline refreshtokens"
}
GHSA-9C38-2MCM-Q7F7
Vulnerability from github – Published: 2026-06-16 19:01 – Updated: 2026-06-16 19:01Impact
An authenticated user with permission to create or modify workflows could pollute the sandbox used by the Merge node's SQL Query mode. Because the sandbox context was cached and reused across all workflow executions on the instance, prototype mutations introduced by one user's workflow persist into subsequent Merge SQL executions belonging to other users or projects. This allowed a low-privileged attacker to intercept workflow data processed by other users on the same instance.
This issue only affects multi-user n8n instances where more than one user has permission to create and execute workflows containing the Merge node in SQL Query mode.
Patches
The issue has been fixed in n8n versions 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability.
Workarounds
If upgrading is not immediately possible, administrators should consider the following temporary mitigations:
- Limit workflow creation and editing permissions to fully trusted users only.
- Disable the Merge node by adding n8n-nodes-base.merge to the NODES_EXCLUDE environment variable.
These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "n8n"
},
"ranges": [
{
"events": [
{
"introduced": "2.26.0"
},
{
"fixed": "2.26.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "n8n"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.25.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54311"
],
"database_specific": {
"cwe_ids": [
"CWE-488"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-16T19:01:16Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Impact\nAn authenticated user with permission to create or modify workflows could pollute the sandbox used by the Merge node\u0027s SQL Query mode. Because the sandbox context was cached and reused across all workflow executions on the instance, prototype mutations introduced by one user\u0027s workflow persist into subsequent Merge SQL executions belonging to other users or projects. This allowed a low-privileged attacker to intercept workflow data processed by other users on the same instance.\n\nThis issue only affects multi-user n8n instances where more than one user has permission to create and execute workflows containing the Merge node in SQL Query mode.\n\n## Patches\nThe issue has been fixed in n8n versions 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.",
"id": "GHSA-9c38-2mcm-q7f7",
"modified": "2026-06-16T19:01:16Z",
"published": "2026-06-16T19:01:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-9c38-2mcm-q7f7"
},
{
"type": "PACKAGE",
"url": "https://github.com/n8n-io/n8n"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "n8n: Merge Node SQL Mode Prototype Pollution"
}
GHSA-C3C3-3XH6-R623
Vulnerability from github – Published: 2025-03-25 18:30 – Updated: 2025-03-25 18:30A flaw was found in cifs-utils. When trying to obtain Kerberos credentials, the cifs.upcall program from the cifs-utils package makes an upcall to the wrong namespace in containerized environments. This issue may lead to disclosing sensitive data from the host's Kerberos credentials cache.
{
"affected": [],
"aliases": [
"CVE-2025-2312"
],
"database_specific": {
"cwe_ids": [
"CWE-488"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-25T18:15:34Z",
"severity": "MODERATE"
},
"details": "A flaw was found in cifs-utils. When trying to obtain Kerberos credentials, the cifs.upcall program from the cifs-utils package makes an upcall to the wrong namespace in containerized environments. This issue may lead to disclosing sensitive data from the host\u0027s Kerberos credentials cache.",
"id": "GHSA-c3c3-3xh6-r623",
"modified": "2025-03-25T18:30:54Z",
"published": "2025-03-25T18:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2312"
},
{
"type": "WEB",
"url": "https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174"
},
{
"type": "WEB",
"url": "https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs/smb?id=db363b0a1d9e6b9dc556296f1b1007aeb496a8cf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CJP9-H6X7-98P3
Vulnerability from github – Published: 2025-03-26 21:31 – Updated: 2025-03-27 15:31An issue was discovered in OPC cardsystems Webapp Aufwertung 2.1.0. The reference assigned to transactions can be reused. When completing a payment, the first or all transactions with the same reference are completed, depending on timing. This can be used to transfer more money onto employee cards than is paid.
{
"affected": [],
"aliases": [
"CVE-2025-30073"
],
"database_specific": {
"cwe_ids": [
"CWE-488"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-26T20:15:22Z",
"severity": "HIGH"
},
"details": "An issue was discovered in OPC cardsystems Webapp Aufwertung 2.1.0. The reference assigned to transactions can be reused. When completing a payment, the first or all transactions with the same reference are completed, depending on timing. This can be used to transfer more money onto employee cards than is paid.",
"id": "GHSA-cjp9-h6x7-98p3",
"modified": "2025-03-27T15:31:06Z",
"published": "2025-03-26T21:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30073"
},
{
"type": "WEB",
"url": "https://www.syss.de/pentest-blog/businesslogik-fehler-bei-aufwertung-von-geldkarten-in-opcr-webapp-aufwertung-syss-2024-089"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H546-6X4H-W6Q7
Vulnerability from github – Published: 2025-10-22 18:30 – Updated: 2026-04-24 00:31Software which sets SO_REUSEPORT_LB on a socket and then connects it to a host will not directly observe any problems. However, due to its membership in a load-balancing group, that socket will receive packets originating from any host. This breaks the contract of the connect(2) and implied connect via sendto(2), and may leave the application vulnerable to spoofing attacks.
The kernel failed to check the connection state of sockets when adding them to load-balancing groups. Furthermore, when looking up the destination socket for an incoming packet, the kernel will match a socket belonging to a load-balancing group even if it is connected, in violation of the contract that connected sockets are only supposed to receive packets originating from the connected host.
{
"affected": [],
"aliases": [
"CVE-2025-24934"
],
"database_specific": {
"cwe_ids": [
"CWE-488"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-22T18:15:34Z",
"severity": "MODERATE"
},
"details": "Software which sets SO_REUSEPORT_LB on a socket and then connects it to a host will not directly observe any problems. However, due to its membership in a load-balancing group, that socket will receive packets originating from any host. This breaks the contract of the connect(2) and implied connect via sendto(2), and may leave the application vulnerable to spoofing attacks.\n\n\n\n\nThe kernel failed to check the connection state of sockets when adding them to load-balancing groups. Furthermore, when looking up the destination socket for an incoming packet, the kernel will match a socket belonging to a load-balancing group even if it is connected, in violation of the contract that connected sockets\u00a0are only supposed to receive packets originating from the connected host.",
"id": "GHSA-h546-6x4h-w6q7",
"modified": "2026-04-24T00:31:50Z",
"published": "2025-10-22T18:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24934"
},
{
"type": "WEB",
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-25:09.netinet.asc"
},
{
"type": "WEB",
"url": "https://www.usenix.org/system/files/conference/usenixsecurity26/sec26_prepub_ben-simhon.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H55G-WW3M-9HQ9
Vulnerability from github – Published: 2026-03-24 21:31 – Updated: 2026-03-24 21:31For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator leaks data for hosts they do not have access to. A fix has been released that makes the built in Zabbix JavaScript objects read-only, but please be advised that usage of global JavaScript variables is not recommended because their content could be leaked. More information in Zabbix documentation.
{
"affected": [],
"aliases": [
"CVE-2026-23919"
],
"database_specific": {
"cwe_ids": [
"CWE-488"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-24T19:16:49Z",
"severity": "HIGH"
},
"details": "For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator leaks data for hosts they do not have access to. A fix has been released that makes the built in Zabbix JavaScript objects read-only, but please be advised that usage of global JavaScript variables is not recommended because their content could be leaked. More information \u003ca href=\u0027https://www.zabbix.com/documentation/7.4/en/manual/installation/known_issues#preprocessing-global-variables-are-unsafe\u0027\u003ein Zabbix documentation\u003c/a\u003e.",
"id": "GHSA-h55g-ww3m-9hq9",
"modified": "2026-03-24T21:31:23Z",
"published": "2026-03-24T21:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23919"
},
{
"type": "WEB",
"url": "https://support.zabbix.com/browse/ZBX-27638"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
Protect the application's sessions from information leakage. Make sure that a session's data is not used or visible by other sessions.
Mitigation
Use a static analysis tool to scan the code for information leakage vulnerabilities (e.g. Singleton Member Field).
Mitigation
In a multithreading environment, storing user data in Servlet member fields introduces a data access race condition. Do not use member fields to store information in the Servlet.
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
CAPEC-60: Reusing Session IDs (aka Session Replay)
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.