CVE-2026-3401
Session Expiration Vulnerability in SourceCodester Pharmacy System
Publication date: 2026-03-02
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| senior-walter | web-based_pharmacy_product_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3401 is a session management vulnerability in SourceCodester Web-based Pharmacy Product Management System version 1.0. The issue occurs because the system fails to invalidate active user sessions after an Admin account is deleted by a Super Admin. This means that even though the deleted Admin cannot log in again, their existing session remains active and grants access to protected administrative pages until it expires or the user logs out manually.
This flaw allows a privilege revocation bypass, where a deleted Admin retains access rights despite account removal, due to improper session expiration and access control.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized access to administrative functions by users whose accounts have been deleted but whose sessions remain active. An attacker or a deleted Admin could continue to access sensitive administrative pages without proper authorization.
Because the session remains valid, it undermines the integrity of the system by allowing privilege revocation bypass, potentially leading to unauthorized actions within the application.
Remote exploitation is possible, and a public exploit exists, although the attack complexity is considered moderate to high.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper session invalidation after an Admin account is deleted, allowing existing sessions to remain active. Detection would involve monitoring for active sessions that belong to deleted accounts.
Since the vulnerability is related to PHP session IDs (PHPSESSID) remaining valid after account deletion, you can check active session files or session storage for sessions linked to deleted accounts.
Commands to detect this might include:
- On the web server, list active PHP session files (commonly stored in /var/lib/php/sessions or a custom session directory): ls -l /var/lib/php/sessions/
- Check the contents of session files to identify sessions associated with deleted Admin accounts (requires knowledge of session data format): cat /var/lib/php/sessions/sess_<session_id>
- Monitor web server logs for requests using session cookies of deleted accounts by filtering logs for PHPSESSID values that correspond to deleted users.
However, no specific detection commands or tools are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability arises from the failure to invalidate active sessions after an Admin account is deleted, allowing continued access despite privilege revocation.
Immediate mitigation steps include:
- Manually log out or terminate active sessions associated with deleted accounts to prevent unauthorized access.
- If possible, restart the web server or clear the session storage to invalidate all active sessions.
- Monitor and audit user sessions regularly to detect any unauthorized access.
Since no official patches or countermeasures are currently recommended, consider replacing the affected product with an alternative solution to avoid this risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know