CVE-2026-30969
Session Fixation Vulnerability in Coral Server Allows Agent Impersonation
Publication date: 2026-03-10
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| coralos | coral_server | to 1.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30969 is a vulnerability in Coral Server versions 1.0.0 and earlier where the server did not enforce strong authentication between agents and the server during an active session.
This weakness allowed an attacker who obtained or predicted a valid session identifier to impersonate an agent or join an existing session.
The vulnerability was fixed in version 1.1.0 by introducing per-agent session secrets that are required for all agent-to-server communications and are invalidated when the session ends.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to impersonate a legitimate agent or join an existing session by using or guessing a valid session identifier.
Such unauthorized access could lead to unauthorized actions, data exposure, or manipulation within the Coral Server environment, posing a high security risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves insufficient authentication between agents and the Coral Server during active sessions, allowing attackers to impersonate agents if they obtain or predict session identifiers.
Detection would involve monitoring for unauthorized or suspicious session activity, such as unexpected session identifiers being used or multiple agents sharing the same session ID.
Since the vulnerability is related to session identifiers and authentication, you can look for unusual session tokens or repeated use of session IDs in network traffic.
- Use network traffic analysis tools (e.g., Wireshark or tcpdump) to capture and inspect session identifiers in agent-server communications.
- Run commands like `tcpdump -i <interface> -A port <coral_server_port>` to capture traffic and look for session tokens.
- Check server logs for multiple connections using the same session identifier or unexpected session activity.
However, no specific detection commands or tools are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Coral Server to version 1.1.0 or later, where the vulnerability is fixed by enforcing strong per-agent session secrets.
This update introduces per-agent session secrets generated at session creation, requiring valid secrets for all agent-to-server communications and invalidating them when sessions end.
Until the upgrade can be applied, restrict access to the Coral Server to trusted networks and monitor for suspicious session activity.