CVE-2026-27933 is a vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting manyfold3d's manyfold, an open-source, self-hosted web application designed to manage collections of 3D models, particularly for 3D printing. Versions prior to 0.133.0 do not properly expire user sessions, which can lead to session hijacking through cookie leakage in proxy caches. When a user authenticates, session cookies are stored but due to improper cache control headers or session management, these cookies can be cached by intermediary proxy servers. An attacker with access to the same proxy cache can retrieve these cookies and impersonate the user, gaining unauthorized access to the application with the victim's privileges. The CVSS v3.1 score is 6.8 (medium), reflecting network attack vector, high complexity, no privileges required, user interaction needed, and high impact on confidentiality and integrity but no availability impact. The vulnerability was published on February 25, 2026, and fixed in version 0.133.0 of manyfold. No known exploits have been reported in the wild. The vulnerability primarily affects environments where manyfold is deployed behind proxy caches that are not properly configured to prevent caching of sensitive cookies.

The vulnerability allows attackers to hijack user sessions by exploiting cookie leakage in proxy caches, potentially leading to unauthorized access to sensitive 3D model collections and related data. This compromises confidentiality and integrity, as attackers can view, modify, or delete 3D models managed by manyfold. Organizations relying on manyfold for intellectual property management, especially in industries like 3D printing, manufacturing, or design, face risks of data theft, intellectual property loss, and operational disruption. Although availability is not directly impacted, the breach of confidentiality and integrity can have significant business consequences, including reputational damage and regulatory compliance issues. The requirement for user interaction and high attack complexity somewhat limits exploitation, but the network attack vector means remote attackers can attempt exploitation if proxy caches are misconfigured. The absence of known exploits in the wild suggests limited current active threat but does not preclude future exploitation.

1. Upgrade manyfold to version 0.133.0 or later, which contains the fix for this vulnerability. 2. Review and configure all proxy caches and reverse proxies in front of manyfold to ensure that session cookies are not cached. This includes setting appropriate Cache-Control headers such as 'no-store' and 'private' on responses containing authentication cookies. 3. Implement secure cookie attributes like 'HttpOnly', 'Secure', and 'SameSite' to reduce cookie leakage risks. 4. Enforce short session lifetimes and implement session invalidation on logout or inactivity to minimize the window of opportunity for session hijacking. 5. Monitor access logs for unusual access patterns that may indicate session hijacking attempts. 6. Educate users about the risks of interacting with untrusted networks or proxies that may cache sensitive information. 7. Consider deploying Web Application Firewalls (WAFs) that can detect and block suspicious session-related activities. 8. Conduct regular security assessments and penetration tests focusing on session management and proxy configurations.