Session Hijacking via Insecure Session Cookie in Pinpoint through 3.1.0

Executive Summary

CVE-2026-57948 is a security vulnerability in Pinpoint versions up to 3.1.0 involving insecure session management. The pinpointJwt session cookie is issued without the HttpOnly and Secure attributes.

Because the HttpOnly attribute is missing, JavaScript running in the browser can access the cookie via document.cookie, making it vulnerable to theft through cross-site scripting (XSS) attacks. Without the Secure attribute, the cookie is transmitted in cleartext over HTTP, allowing attackers to intercept it via network sniffing.

Attackers can exploit these weaknesses to steal session tokens and hijack user sessions, gaining unauthorized access to authenticated API endpoints.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to session hijacking, where attackers gain unauthorized access to your account or system by stealing the pinpointJwt session token.

• Attackers can exfiltrate the session token via stored or reflected cross-site scripting (XSS) vulnerabilities.
• The session token can be intercepted in cleartext over HTTP by network sniffers due to the missing Secure attribute.
• Once stolen, the token grants full access to authenticated API endpoints for up to 12 hours, potentially compromising sensitive user data and system integrity.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting the session cookie named "pinpointJwt" to check if it lacks the HttpOnly and Secure attributes.

You can use browser developer tools or command-line tools to inspect cookies and network traffic.

• Use browser developer tools (e.g., Chrome DevTools) to check the attributes of the "pinpointJwt" cookie under the Application > Cookies section.
• Use curl to inspect HTTP response headers for the Set-Cookie attribute, for example: curl -I http://your-pinpoint-server | grep Set-Cookie
• Use network traffic analysis tools like Wireshark or tcpdump to capture HTTP traffic and check if the "pinpointJwt" cookie is transmitted over unencrypted HTTP.
• In a browser console, run: document.cookie and check if the "pinpointJwt" cookie is accessible via JavaScript, indicating missing HttpOnly attribute.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation is to ensure that the "pinpointJwt" session cookie is set with both HttpOnly and Secure attributes to prevent JavaScript access and transmission over unencrypted HTTP.

Specifically, update the cookie creation code to include cookie.setHttpOnly(true) and cookie.setSecure(true).

Additionally, deploy the application over HTTPS to protect the cookie from network interception.

If HTTPS-only deployment is not possible immediately, consider making the Secure attribute configurable but always enforce HttpOnly.

Review and fix any stored or reflected cross-site scripting (XSS) vulnerabilities to prevent attackers from exploiting JavaScript access to the cookie.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to hijack user sessions by stealing the pinpointJwt session cookie due to missing HttpOnly and Secure attributes. This exposure of sensitive session tokens can lead to unauthorized access to user data.

Such unauthorized access and potential data breaches can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring secure session management.

Useful 0 Not Useful 0