CVE-2026-35095 - Vulnerability Details - OpenCVE

KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with a valid name is set, its value remains unchanged after successful login. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in the patch published in June 2026.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

References

Link	Providers
https://cert.pl/posts/2026/06/CVE-2026-35095/
https://ktmsystem.pl/internetowe-biuro-obslugi-klienta/

History

Tue, 30 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 30 Jun 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with a valid name is set, its value remains unchanged after successful login. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in the patch published in June 2026.
Title		Session fixation in KTM System e-BOK
Weaknesses		CWE-384
References		https://cert.pl/posts/2026/06/CVE-2026-35095/ https://ktmsystem.pl/internetowe-biuro-obslugi-klienta/
Metrics		cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published: 2026-06-30T13:37:55.256Z

Updated: 2026-06-30T14:42:45.383Z

Reserved: 2026-04-01T13:05:10.153Z

Link: CVE-2026-35095

Vulnrichment

Updated: 2026-06-30T14:42:40.285Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35095", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2026-04-01T13:05:10.153Z", "datePublished": "2026-06-30T13:37:55.256Z", "dateUpdated": "2026-06-30T14:42:45.383Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["e-BOK"], "product": "e-BOK", "vendor": "KTM System", "versions": [{"lessThan": "06.2026", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jacek Korta"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with a valid name is set, its value remains unchanged after successful login. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session.<span style=\"background-color: rgb(255, 255, 255);\"><br></span><br>This issue was fixed in the patch published in June 2026.<br>"}], "value": "KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with a valid name is set, its value remains unchanged after successful login. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session.\n\nThis issue was fixed in the patch published in June 2026."}], "impacts": [{"capecId": "CAPEC-61", "descriptions": [{"lang": "en", "value": "CAPEC-61 Session Fixation"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 4.8, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-384", "description": "CWE-384: Session Fixation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-06-30T13:37:55.256Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://cert.pl/posts/2026/06/CVE-2026-35095/"}, {"tags": ["product"], "url": "https://ktmsystem.pl/internetowe-biuro-obslugi-klienta/"}], "source": {"discovery": "EXTERNAL"}, "title": "Session fixation in KTM System e-BOK", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-30T14:42:36.409765Z", "id": "CVE-2026-35095", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-30T14:42:45.383Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35095", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-30T14:42:36.409765Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-30T14:42:40.285Z"}}], "cna": {"title": "Session fixation in KTM System e-BOK", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Jacek Korta"}], "impacts": [{"capecId": "CAPEC-61", "descriptions": [{"lang": "en", "value": "CAPEC-61 Session Fixation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "KTM System", "modules": ["e-BOK"], "product": "e-BOK", "versions": [{"status": "affected", "version": "0", "lessThan": "06.2026", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://cert.pl/posts/2026/06/CVE-2026-35095/", "tags": ["third-party-advisory"]}, {"url": "https://ktmsystem.pl/internetowe-biuro-obslugi-klienta/", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with a valid name is set, its value remains unchanged after successful login. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session.\n\nThis issue was fixed in the patch published in June 2026.", "supportingMedia": [{"type": "text/html", "value": "KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with a valid name is set, its value remains unchanged after successful login. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session.<span style=\"background-color: rgb(255, 255, 255);\"><br></span><br>This issue was fixed in the patch published in June 2026.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-384", "description": "CWE-384: Session Fixation"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-06-30T13:37:55.256Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35095", "state": "PUBLISHED", "dateUpdated": "2026-06-30T14:42:45.383Z", "dateReserved": "2026-04-01T13:05:10.153Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2026-06-30T13:37:55.256Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.2"}