Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3269 is a broken access control vulnerability in Psi Probe, a Tomcat management application, affecting versions up to 5.3.0. The flaw exists in the handleRequestInternal function of the ExpireSessionsController.java file, which handles bulk session expiration requests.'}, {'type': 'paragraph', 'content': 'The vulnerability allows any authenticated user with the low-privileged "probeuser" role to terminate multiple user sessions simultaneously via the /app/expire_list.htm endpoint without proper authorization checks. The application does not verify if the requesting user owns the sessions or has administrative privileges before expiring them.'}, {'type': 'paragraph', 'content': 'This means an attacker can specify arbitrary session IDs and forcibly log out multiple users across different web applications in a single request, causing mass disruption.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a widespread denial of service by forcibly terminating multiple user sessions at once. The impact includes:

• Mass disruption by logging out dozens of users simultaneously.
• Cross-application impact affecting multiple deployed web applications.
• Operational paralysis of administrative teams due to forced re-authentication.
• Resource exhaustion caused by repeated forced logouts and re-authentication.
• Loss of productivity and potential data loss from unsaved work.

The attack can be launched remotely with low complexity and requires only low privileges, making it easy for attackers to exploit.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual HTTP requests to the `/app/expire_list.htm` endpoint, especially POST requests containing multiple `sid_webapp` parameters that specify session IDs and web applications to terminate.'}, {'type': 'paragraph', 'content': 'Detection involves checking for authenticated users with the low-privileged "probeuser" role making bulk session expiration requests without proper authorization.'}, {'type': 'paragraph', 'content': 'Suggested commands include using network monitoring or web server logs to filter requests to `/app/expire_list.htm` and inspecting POST parameters for multiple `sid_webapp` entries.'}, {'type': 'list_item', 'content': 'Use tools like `tcpdump` or `Wireshark` to capture HTTP traffic and filter for POST requests to `/app/expire_list.htm`.'}, {'type': 'list_item', 'content': "Use `grep` or similar commands on web server logs to find requests to `/app/expire_list.htm` with multiple `sid_webapp` parameters, e.g.: `grep '/app/expire_list.htm' /var/log/apache2/access.log | grep 'sid_webapp'`."}, {'type': 'list_item', 'content': 'Check application logs for session expiration events triggered by users with the "probeuser" role.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the `/app/expire_list.htm` endpoint to only administrative roles such as `manager-gui` or `admin-gui`.

Implement authorization checks to validate session ownership before allowing session expiration.

Limit the number of sessions that can be expired in a single request to prevent abuse.

Enable logging and monitoring of bulk session expiration attempts to detect and respond to suspicious activity.

Additional recommendations include implementing rate limiting, CAPTCHA on bulk operation endpoints, requiring re-authentication for bulk session termination, and considering cooldown periods between bulk operations.

If possible, update or patch the application to a version that includes these security improvements or consider replacing the affected product.

Useful 0 Not Useful 0