CVE-2026-0696 identifies a vulnerability in ConnectWise PSA, a professional services automation tool widely used by managed service providers and IT departments. The issue arises because certain session cookies in versions prior to 2026.1 are not set with the HttpOnly attribute. The HttpOnly flag is a security measure that prevents client-side scripts, such as JavaScript, from accessing cookie data, thereby mitigating risks like cross-site scripting (XSS) attacks leading to session hijacking. Without this flag, if an attacker can induce a user to execute malicious scripts—via phishing, malicious ads, or compromised websites—they can potentially steal session cookies. This vulnerability does not require prior authentication but does require user interaction, such as visiting a malicious site or clicking a link. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) indicates network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, high confidentiality impact, and no impact on integrity or availability. No public exploits are currently known, but the vulnerability could be leveraged in targeted attacks against organizations using vulnerable ConnectWise PSA versions. The lack of HttpOnly on session cookies is a common security oversight that can be exploited in conjunction with other vulnerabilities or social engineering tactics. ConnectWise PSA users should upgrade to version 2026.1 or later where this issue is resolved.

For European organizations, this vulnerability primarily threatens the confidentiality of session cookies, which could lead to session hijacking and unauthorized access to sensitive management and service automation data. Managed service providers (MSPs) and IT departments using ConnectWise PSA are at particular risk, as attackers gaining session access could manipulate service tickets, client data, or internal workflows. This could result in data breaches, service disruption, or lateral movement within networks. The requirement for user interaction limits mass exploitation but does not eliminate risk, especially in environments with high phishing susceptibility. The impact is heightened in sectors with critical infrastructure or sensitive client data, such as finance, healthcare, and government services. Additionally, compromised MSPs could serve as attack vectors to their clients, amplifying the threat. While no integrity or availability impact is noted, the confidentiality breach alone can have serious regulatory and reputational consequences under GDPR and other European data protection laws.

European organizations should immediately plan to upgrade ConnectWise PSA to version 2026.1 or later once available, as this will ensure session cookies are properly set with the HttpOnly flag. Until the patch is applied, organizations should implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers, reducing the risk of cookie theft via XSS. Regular security awareness training should be conducted to reduce the likelihood of successful phishing attacks that could trigger exploitation. Network-level protections such as web filtering and endpoint security solutions can help block access to known malicious sites. Additionally, organizations should monitor for unusual session activity and consider implementing multi-factor authentication (MFA) to reduce the impact of stolen session cookies. Reviewing and tightening cookie security settings, including Secure and SameSite attributes, can further mitigate risks. Finally, incident response plans should be updated to address potential session hijacking scenarios.