CVE-2026-34917
Received Received - Intake
Session ID Reuse in Web Admin Console via XML-RPC API

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: HackerOne

Description
Low‑privileged session IDs generated for the web admin console could be reused in the XML‑RPC API, whose authentication is normally restricted to admin users. An attacker could leverage this to gain unauthorised access and exploit API‑level vulnerabilities. The session context (web/API) is now recorded along with other session data, preventing session IDs from being used interchangeably.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-34917
EUVD
EUVD-2026-38509
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves low-privileged session IDs generated for the web admin console that could be reused in the XML-RPC API. Normally, the XML-RPC API authentication is restricted to admin users, but due to this issue, an attacker could reuse these session IDs to gain unauthorized access to the API and exploit vulnerabilities at the API level.

To mitigate this, the session context (whether the session is for web or API) is now recorded along with other session data, preventing session IDs from being used interchangeably between the web admin console and the XML-RPC API.

Impact Analysis

An attacker could leverage this vulnerability to gain unauthorized access to the XML-RPC API, which is normally restricted to admin users. This unauthorized access could allow the attacker to exploit API-level vulnerabilities, potentially compromising the security of the system.

Mitigation Strategies

To mitigate this vulnerability, ensure that session IDs generated for the web admin console are not reused in the XML-RPC API by recording the session context (web/API) along with other session data. This prevents session IDs from being used interchangeably and unauthorized access via the API.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34917. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart