CVE-2026-40010
Session Fixation in Apache Wicket via Missing Session ID Regeneration
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | wicket | From 10.0.0 (inc) to 10.9.0 (exc) |
| apache | wicket | From 8.0.0 (inc) to 8.17.0 (inc) |
| apache | wicket | From 9.0.0 (inc) to 9.22.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-384 | Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40010 is a critical security vulnerability in Apache Wicket that arises from a missing invocation of the Servlet method changeSessionId after session binding.
This omission can be exploited by an attacker to perform a session fixation attack, where the attacker forces a user's session ID to a known value, potentially allowing unauthorized access.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to fixate a user's session ID, which may lead to unauthorized access to the victim's session and sensitive data.
Exploitation of this issue could result in compromised user accounts, data breaches, and unauthorized actions performed on behalf of the user.
Users of affected Apache Wicket versions are advised to upgrade to version 10.9.0 or later to mitigate this risk.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are recommended to upgrade Apache Wicket to version 10.9.0 or later, which includes the fix for the missing invocation of the Servlet method changeSessionId after session binding.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Apache Wicket allows for a session fixation attack due to a missing invocation of the Servlet method changeSessionId after session binding.
Session fixation attacks can lead to unauthorized access to user sessions, potentially exposing sensitive personal or health information.
Such unauthorized access could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of user data and secure session management.
Therefore, failure to mitigate this vulnerability may result in non-compliance with these regulations due to increased risk of data breaches.
Upgrading to Apache Wicket version 10.9.0 or later is recommended to fix this issue and help maintain compliance.