CVE-2026-3268 identifies an improper access control vulnerability in the PSI Probe application, specifically affecting versions 5.0 through 5.3.0. The vulnerability resides in the session attribute handler component, within an unspecified function of the RemoveSessAttributeController.java file. PSI Probe is a popular open-source monitoring tool for Apache Tomcat servers, providing insights into server status and session management. The flaw allows remote attackers with low privileges to manipulate session attributes without proper authorization checks, potentially altering or removing session data of other users. The vulnerability is exploitable remotely without user interaction or elevated privileges, increasing its risk profile. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the moderate impact on confidentiality and integrity, with no impact on availability. The vendor was notified but has not responded or issued a patch, and a public exploit exists, although no active exploitation has been reported. This vulnerability could enable attackers to interfere with session integrity, potentially leading to unauthorized access or privilege escalation within affected Tomcat environments monitored by PSI Probe. The lack of vendor response and patch availability heightens the urgency for organizations to implement compensating controls.

The improper access control vulnerability in PSI Probe can lead to unauthorized manipulation of session attributes, undermining the confidentiality and integrity of user sessions. Attackers could alter or remove session data, potentially hijacking sessions, escalating privileges, or disrupting normal application behavior. This can compromise sensitive information and trust in the monitored environment. Since PSI Probe is widely used for monitoring Apache Tomcat servers, organizations relying on it for session and server management may face increased risk of internal session tampering or external attacks exploiting this flaw. The medium severity rating indicates a moderate but tangible risk, especially in environments where session integrity is critical. The absence of vendor patches and public exploit availability increases the likelihood of exploitation attempts, potentially impacting organizations globally. The vulnerability could also serve as a stepping stone for more complex attacks targeting Tomcat infrastructure.

Given the absence of official patches, organizations should implement immediate compensating controls to mitigate risk. First, restrict network access to PSI Probe interfaces by limiting exposure to trusted internal networks or VPNs only. Employ strong authentication and authorization mechanisms around PSI Probe access points to prevent unauthorized users from reaching vulnerable endpoints. Monitor session activity and logs for unusual or unauthorized session attribute changes to detect potential exploitation attempts. Consider disabling or limiting the use of session attribute manipulation features within PSI Probe if feasible. Regularly update and audit Tomcat and PSI Probe configurations to minimize attack surface. Stay alert for vendor updates or community patches addressing this vulnerability and apply them promptly once available. Additionally, conduct security awareness training for administrators managing PSI Probe to recognize and respond to suspicious activity. Finally, consider deploying web application firewalls (WAFs) with custom rules to block suspicious requests targeting session attribute handlers.