CVE-2026-25101

CRITICAL

Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behavior enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in version 3.17.2.

CVSS v3.1 Score

9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Complexity
LOW
Privileges
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Published: 3/27/2026Modified: 4/2/2026

Related Intelligence (1)

CRITICALVulnerability

NVD CRITICAL: CVE-2026-25101 — Bludit allows user's session identifier to be set before authentication. The val...

Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behavior enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in version 3.17.2.

CVE-2026-25101
NIST NVD

References (2)

https://cert.pl/posts/2026/03/CVE-2026-25099Third Party Advisoryhttps://github.com/bludit/bludit/releases/tag/3.17.2Release Notes