CVE-2026-32745 is a vulnerability identified in JetBrains Datalore prior to version 2026.1, classified under CWE-614 (Sensitive Cookie Without Secure Attribute). The core issue arises from session cookies lacking the 'secure' attribute, which instructs browsers to only send cookies over encrypted HTTPS connections. Without this attribute, cookies may be transmitted over unencrypted HTTP connections, exposing them to interception by attackers on the same or adjacent networks. This exposure can lead to session hijacking, where an attacker can impersonate a legitimate user by capturing their session cookie. The CVSS 3.1 base score is 6.3, reflecting a medium severity level. The attack vector is adjacent network (AV:A), meaning the attacker must be on the same local network or a logically adjacent network segment. No privileges are required (PR:N), but user interaction is necessary (UI:R), such as clicking a malicious link or visiting a compromised site. The scope is unchanged (S:U), and the impact is high on confidentiality (C:H), low on integrity (I:L), and none on availability (A:N). The vulnerability does not currently have known exploits in the wild, but the risk remains significant due to the potential for session hijacking. JetBrains has reserved the CVE and published the vulnerability details, but no patch links are provided yet, indicating a need for users to monitor for updates.

The primary impact of this vulnerability is the compromise of user session confidentiality. Attackers who can intercept session cookies may gain unauthorized access to user accounts within JetBrains Datalore, potentially exposing sensitive data, intellectual property, or proprietary code notebooks. While the integrity and availability of the system are less affected, the breach of confidentiality can lead to further attacks, including privilege escalation or lateral movement within an organization’s environment. Organizations relying on Datalore for collaborative data science and development may face risks of data leakage or unauthorized access, especially when users connect over insecure or public networks. The requirement for adjacent network access and user interaction somewhat limits the attack surface but does not eliminate risk in environments with shared Wi-Fi or compromised internal networks. The absence of known exploits in the wild reduces immediate urgency but does not preclude future exploitation. Overall, the vulnerability poses a moderate risk to organizations worldwide, particularly those with high-value data and collaborative workflows.

To mitigate this vulnerability, organizations should immediately ensure that all JetBrains Datalore instances are updated to version 2026.1 or later once available, as this version addresses the missing 'secure' attribute on cookies. Until patches are released, administrators should enforce HTTPS strictly across all Datalore web traffic to prevent cookie transmission over unencrypted channels. Implementing HTTP Strict Transport Security (HSTS) headers can help enforce HTTPS usage. Additionally, network segmentation and the use of VPNs can reduce exposure to adjacent network attackers. Educate users to avoid accessing Datalore over untrusted or public Wi-Fi networks without secure VPN connections. Monitoring network traffic for suspicious activity and session anomalies can help detect attempted hijacking. Finally, JetBrains should be engaged to provide timely patches and guidance, and organizations should review their cookie security policies to ensure compliance with best practices, including setting 'HttpOnly' and 'SameSite' attributes where appropriate.