CVE-2026-32745 is a vulnerability identified in JetBrains Datalore versions prior to 2026.1, classified under CWE-614, which pertains to missing secure attributes in cookie settings. The core issue is that session cookies lack the 'secure' flag, which instructs browsers to only send cookies over HTTPS connections. Without this attribute, cookies can be transmitted over unencrypted HTTP, exposing session tokens to interception by network attackers through man-in-the-middle (MITM) attacks. This vulnerability enables session hijacking, where an attacker can impersonate a legitimate user by stealing their session cookie. The CVSS 3.1 base score is 6.3, indicating a medium severity level. The attack vector is adjacent network (AV:A), meaning the attacker must be on the same network or have network access close to the victim. No privileges are required (PR:N), but user interaction is necessary (UI:R), such as the user accessing the service over an insecure connection. The scope is unchanged (S:U), and the impact is high on confidentiality (C:H), low on integrity (I:L), and none on availability (A:N). No public exploits have been reported yet, but the vulnerability poses a risk especially in environments where users connect over insecure networks or where HTTPS enforcement is lax. JetBrains has reserved the CVE and published the vulnerability details, but no patch links are provided in the data, indicating users should upgrade to version 2026.1 or later where the issue is fixed.

The primary impact of this vulnerability is the compromise of user session confidentiality through session hijacking. Attackers who can intercept network traffic, such as those on public Wi-Fi or internal networks, can steal session cookies and gain unauthorized access to user accounts within Datalore. This can lead to unauthorized data access, exposure of sensitive analytics or code, and potential misuse of the platform under the victim's identity. Although integrity and availability impacts are low or none, the confidentiality breach can have significant consequences in environments handling proprietary or sensitive data. Organizations relying on Datalore for collaborative data science or software development may face data leakage risks. The requirement for user interaction and adjacent network access limits the attack scope but does not eliminate risk, especially in remote work or hybrid environments where network security varies. The absence of known exploits reduces immediate risk but does not preclude future exploitation. Overall, the vulnerability can undermine trust in the platform and lead to compliance issues if sensitive data is exposed.

To mitigate this vulnerability, organizations should immediately upgrade JetBrains Datalore to version 2026.1 or later, where the secure cookie attribute issue is resolved. In the interim, enforce HTTPS strictly across all Datalore access points to prevent cookies from being transmitted over unencrypted channels. Implement HTTP Strict Transport Security (HSTS) headers to ensure browsers only connect via HTTPS. Review and configure web server and application settings to explicitly set the 'Secure' and 'HttpOnly' flags on all session cookies. Conduct network segmentation and monitoring to detect suspicious activities indicative of session hijacking attempts. Educate users about the risks of using public or untrusted networks and encourage VPN usage. Additionally, consider implementing multi-factor authentication (MFA) on Datalore accounts to reduce the impact of compromised sessions. Regularly audit and monitor session management practices and logs for anomalies. Finally, stay informed on JetBrains security advisories for any patches or updates related to this vulnerability.