CVE-2026-27933
Received Received - Intake
Session Hijacking via Cookie Leakage in Manyfold Web App

Publication date: 2026-02-26

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Versions prior to 0.133.0 are vulnerable to session hijack via cookie leakage in proxy caches. Version 0.133.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27933
EUVD
EUVD-2026-8776
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
manyfold manyfold to 0.133.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27933 is a session hijacking vulnerability in the Manyfold web application, caused by cookie leakage in proxy caches. This flaw affects Manyfold versions up to 0.132.1 and allows an attacker to escalate privileges by accessing cookies improperly shared through proxy caches.

The vulnerability was discovered when a user logged into Manyfold on two different devices with different accounts and networks experienced privilege escalation on one device, gaining unauthorized admin access. This occurred even after clearing cookies and using private browsing, and across devices on the same network.

The issue is fixed starting from Manyfold version 0.133.0.

Impact Analysis

This vulnerability can allow unauthorized users to hijack sessions and escalate their privileges within the Manyfold application.

  • Attackers can gain access to admin-only site settings and sensitive information such as registered accounts.
  • It can lead to unauthorized data access and modification, impacting confidentiality and integrity.

However, it does not affect the availability of the application.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unexpected session privilege escalations or unauthorized access to admin-only functions when users are logged in on multiple devices or networks simultaneously.'}, {'type': 'paragraph', 'content': 'Since the issue involves cookie leakage in proxy caches, you can inspect HTTP headers and cookies being passed through your proxy (e.g., Nginx) to check if session cookies are improperly cached or shared.'}, {'type': 'paragraph', 'content': 'Suggested commands include using tools like curl or tcpdump to capture and analyze HTTP traffic for cookie leakage.'}, {'type': 'list_item', 'content': "Use tcpdump to capture HTTP traffic on the proxy server: tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 443'"}, {'type': 'list_item', 'content': 'Use curl to inspect response headers for cache control directives: curl -I https://your-manyfold-instance'}, {'type': 'list_item', 'content': 'Check Nginx proxy cache configuration to ensure cookies are not cached or shared between users.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Manyfold to version 0.133.0 or later, where this vulnerability has been fixed.

Additionally, review and adjust your proxy cache settings (e.g., Nginx) to prevent caching of session cookies or other sensitive authentication tokens.

If upgrading immediately is not possible, consider restricting public exposure of the Manyfold instance and limit access to trusted networks or users.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27933. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart