CVE-2026-3401
Received Received - Intake
Session Expiration Vulnerability in SourceCodester Pharmacy System

Publication date: 2026-03-02

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown part. This manipulation causes session expiration. Remote exploitation of the attack is possible. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been made available to the public and could be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-02
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3401
EUVD
EUVD-2026-9134
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
senior-walter web-based_pharmacy_product_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can allow unauthorized access to administrative functions by users whose accounts have been deleted but whose sessions remain active. An attacker or a deleted Admin could continue to access sensitive administrative pages without proper authorization.

Because the session remains valid, it undermines the integrity of the system by allowing privilege revocation bypass, potentially leading to unauthorized actions within the application.

Remote exploitation is possible, and a public exploit exists, although the attack complexity is considered moderate to high.

Executive Summary

CVE-2026-3401 is a session management vulnerability in SourceCodester Web-based Pharmacy Product Management System version 1.0. The issue occurs because the system fails to invalidate active user sessions after an Admin account is deleted by a Super Admin. This means that even though the deleted Admin cannot log in again, their existing session remains active and grants access to protected administrative pages until it expires or the user logs out manually.

This flaw allows a privilege revocation bypass, where a deleted Admin retains access rights despite account removal, due to improper session expiration and access control.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves improper session invalidation after an Admin account is deleted, allowing existing sessions to remain active. Detection would involve monitoring for active sessions that belong to deleted accounts.

Since the vulnerability is related to PHP session IDs (PHPSESSID) remaining valid after account deletion, you can check active session files or session storage for sessions linked to deleted accounts.

Commands to detect this might include:

  • On the web server, list active PHP session files (commonly stored in /var/lib/php/sessions or a custom session directory): ls -l /var/lib/php/sessions/
  • Check the contents of session files to identify sessions associated with deleted Admin accounts (requires knowledge of session data format): cat /var/lib/php/sessions/sess_<session_id>
  • Monitor web server logs for requests using session cookies of deleted accounts by filtering logs for PHPSESSID values that correspond to deleted users.

However, no specific detection commands or tools are provided in the available resources.

Mitigation Strategies

The vulnerability arises from the failure to invalidate active sessions after an Admin account is deleted, allowing continued access despite privilege revocation.

Immediate mitigation steps include:

  • Manually log out or terminate active sessions associated with deleted accounts to prevent unauthorized access.
  • If possible, restart the web server or clear the session storage to invalidate all active sessions.
  • Monitor and audit user sessions regularly to detect any unauthorized access.

Since no official patches or countermeasures are currently recommended, consider replacing the affected product with an alternative solution to avoid this risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3401. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart