CVE-2026-11956
Deferred Deferred - Pending Action
OIDC Session Cookie Handler Missing Secure Attribute in TwiN gatus

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: VulDB

Description
A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is considered difficult. The reported GitHub issue was closed with the label "not planned".
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-11956
EUVD
EUVD-2026-36236
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tw_in gatus 5.36.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1004 The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
CWE-614 The Secure attribute for sensitive cookies in HTTPS sessions is not set.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the setSessionCookie function of the OIDC Session Cookie Handler in TwiN gatus 5.36.0. The session cookie is set without the HttpOnly and Secure flags, which means the cookie can be accessed by JavaScript and transmitted over unencrypted HTTP connections.

Because the session cookie is the only credential needed to access protected dashboard endpoints, an attacker could potentially hijack a session by capturing this cookie through cross-site scripting (XSS) or network interception if the Gatus instance is accessible over HTTP.

The vulnerability is considered to have high complexity and difficult exploitability, and the reported issue was closed as "not planned" for a fix.

Impact Analysis

If exploited, this vulnerability can lead to unauthorized access to the Gatus dashboard by hijacking the session cookie.

  • An attacker could steal the session cookie via XSS or by intercepting HTTP traffic.
  • With the stolen session cookie, the attacker gains access to protected dashboard endpoints without needing additional credentials.
  • This could allow the attacker to view or manipulate monitoring data and alerts.

However, the attack requires additional conditions such as the presence of XSS vulnerabilities or the use of unencrypted HTTP, and the exploitability is considered difficult.

Detection Guidance

This vulnerability involves the OIDC session cookie being set without the HttpOnly and Secure flags, making it readable by JavaScript and transmittable over plaintext HTTP.

To detect this vulnerability on your network or system, you can inspect the cookies set by the Gatus application, specifically looking for the absence of the Secure and HttpOnly attributes on the session cookie.

One way to check this is by capturing HTTP traffic to see if the session cookie is transmitted over plaintext HTTP without the Secure flag.

  • Use a network traffic analyzer like Wireshark or tcpdump to capture HTTP traffic and inspect the Set-Cookie headers for the session cookie.
  • Example tcpdump command to capture HTTP traffic on port 80: sudo tcpdump -i any -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
  • Use browser developer tools (Network tab) to inspect cookies set by the Gatus dashboard and verify if the Secure and HttpOnly flags are missing.
  • Use curl to make a request and inspect the Set-Cookie header, for example: curl -I http://your-gatus-instance | grep Set-Cookie
Mitigation Strategies

The immediate mitigation step is to ensure that the session cookie set by Gatus includes both the HttpOnly and Secure flags.

This prevents JavaScript access to the cookie and ensures the cookie is only transmitted over HTTPS, reducing the risk of session hijacking via XSS or network interception.

If you are running Gatus, configure it to serve over HTTPS to enable the Secure flag on cookies.

If you have access to the source code or configuration, modify the setSessionCookie function in security/oidc.go to add the HttpOnly and Secure attributes to the session cookie.

Until an official fix is released, consider restricting network access to the Gatus dashboard to trusted networks only to reduce exposure.

Compliance Impact

The vulnerability involves the OIDC session cookie being set without the Secure and HttpOnly flags, which can lead to session hijacking via XSS or network interception if the Gatus instance is accessible over HTTP.

This exposure of session cookies could potentially lead to unauthorized access to protected dashboard endpoints, risking the confidentiality of user sessions.

Such unauthorized access and potential data exposure may impact compliance with standards like GDPR and HIPAA, which require protection of sensitive data and user privacy.

However, the exploitability is considered difficult and the CVSS score is relatively low, indicating that while there is a risk, it may be limited in practical scenarios.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11956. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart