CVE-2026-40010
Modified Modified - Updated After Analysis
Session Fixation in Apache Wicket via Missing Session ID Regeneration

Publication date: 2026-05-06

Last updated on: 2026-05-07

Assigner: Apache Software Foundation

Description
Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for aΒ session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40010
EUVD
EUVD-2026-27554
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
apache wicket From 10.0.0 (inc) to 10.9.0 (exc)
apache wicket From 8.0.0 (inc) to 8.17.0 (inc)
apache wicket From 9.0.0 (inc) to 9.22.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-384 Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40010 is a critical security vulnerability in Apache Wicket that arises from a missing invocation of the Servlet method changeSessionId after session binding.

This omission can be exploited by an attacker to perform a session fixation attack, where the attacker forces a user's session ID to a known value, potentially allowing unauthorized access.

Impact Analysis

This vulnerability can allow an attacker to fixate a user's session ID, which may lead to unauthorized access to the victim's session and sensitive data.

Exploitation of this issue could result in compromised user accounts, data breaches, and unauthorized actions performed on behalf of the user.

Users of affected Apache Wicket versions are advised to upgrade to version 10.9.0 or later to mitigate this risk.

Mitigation Strategies

To mitigate this vulnerability, users are recommended to upgrade Apache Wicket to version 10.9.0 or later, which includes the fix for the missing invocation of the Servlet method changeSessionId after session binding.

Compliance Impact

The vulnerability in Apache Wicket allows for a session fixation attack due to a missing invocation of the Servlet method changeSessionId after session binding.

Session fixation attacks can lead to unauthorized access to user sessions, potentially exposing sensitive personal or health information.

Such unauthorized access could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of user data and secure session management.

Therefore, failure to mitigate this vulnerability may result in non-compliance with these regulations due to increased risk of data breaches.

Upgrading to Apache Wicket version 10.9.0 or later is recommended to fix this issue and help maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40010. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart