CVE-2026-35095
Deferred Deferred - Pending Action

Session Fixation in KTM System e-BOK

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: CERT.PL

Description
KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with a valid name is set, its value remains unchanged after successful login. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in the patch published in June 2026.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-35095
EUVD
EUVD-2026-40322

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ktm_system ktm_system_e-bok to 2026-06-01 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-384 Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in KTM System e-BOK allows an attacker to fix a session ID for a victim and later hijack the authenticated session. This session fixation issue can lead to unauthorized access to personal and sensitive information of users.

Such unauthorized access risks violating data protection regulations like GDPR and HIPAA, which require strict controls over user authentication and session management to protect personal data confidentiality and integrity.

Therefore, if exploited, this vulnerability could result in non-compliance with these standards due to potential data breaches and insufficient session security.

Executive Summary

The vulnerability in KTM System e-BOK is a session fixation issue. It allows an attacker to set the session identifier (session ID) for a victim before the victim logs in. If the attacker sets a cookie with a valid session ID, this value remains unchanged even after the victim successfully authenticates. This means the attacker can hijack the authenticated session by using the fixed session ID.

Impact Analysis

This vulnerability can allow an attacker to hijack a user's authenticated session in the KTM System e-BOK. By fixing the session ID before login, the attacker can gain unauthorized access to the victim's account and sensitive information after the victim logs in, potentially leading to data theft or unauthorized actions performed on behalf of the victim.

Mitigation Strategies

The vulnerability in KTM System e-BOK allows an attacker to fix a session ID before authentication, enabling session hijacking. To mitigate this vulnerability immediately, you should apply the patch released in June 2026 that fixes this issue.

Additionally, as a general best practice, ensure that session identifiers are regenerated after login and that cookies are properly secured with attributes like HttpOnly and Secure to reduce the risk of session fixation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35095. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart