CVE-2026-35095: CWE-384: Session Fixation in KTM System e-BOK
KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with a valid name is set, its value remains unchanged after successful login. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in the patch published in June 2026.
AI Analysis
Technical Summary
CVE-2026-35095 describes a session fixation vulnerability (CWE-384) in KTM System e-BOK. The application allows clients to set the session identifier prior to authentication, and if a cookie with a valid name is present, its value is preserved after successful login. This behavior enables attackers to fix a session ID for a victim and hijack the authenticated session. A patch resolving this issue was published in June 2026.
Potential Impact
An attacker can set a session ID for a victim before login and hijack the victim's authenticated session, potentially gaining unauthorized access to the victim's account or data within the KTM System e-BOK application.
Mitigation Recommendations
A patch fixing this vulnerability was published in June 2026. Users and administrators of KTM System e-BOK should apply the official patch to remediate this issue. Patch status is not explicitly confirmed in the advisory, but the vendor states the issue was fixed in June 2026. Verify with the vendor for the exact patch and update accordingly.
CVE-2026-35095: CWE-384: Session Fixation in KTM System e-BOK
Description
KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with a valid name is set, its value remains unchanged after successful login. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in the patch published in June 2026.
CVSS v4.0
Score 4.8medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-35095 describes a session fixation vulnerability (CWE-384) in KTM System e-BOK. The application allows clients to set the session identifier prior to authentication, and if a cookie with a valid name is present, its value is preserved after successful login. This behavior enables attackers to fix a session ID for a victim and hijack the authenticated session. A patch resolving this issue was published in June 2026.
Potential Impact
An attacker can set a session ID for a victim before login and hijack the victim's authenticated session, potentially gaining unauthorized access to the victim's account or data within the KTM System e-BOK application.
Mitigation Recommendations
A patch fixing this vulnerability was published in June 2026. Users and administrators of KTM System e-BOK should apply the official patch to remediate this issue. Patch status is not explicitly confirmed in the advisory, but the vendor states the issue was fixed in June 2026. Verify with the vendor for the exact patch and update accordingly.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CERT-PL
- Date Reserved
- 2026-04-01T13:05:10.153Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a43cd7c27e9c79719e724bb
Added to database: 06/30/2026, 14:06:52 UTC
Last enriched: 06/30/2026, 14:21:35 UTC
Last updated: 06/30/2026, 15:06:36 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.