Skip to main content

TwiN gatus CVE-2026-11956

| EUVDEUVD-2026-36236 MEDIUM
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CWE-614)
2026-06-11 VulDB GHSA-wwqf-6p54-3cfq
6.3
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.7 LOW

MITM network positioning required for interception (AV:N, AC:H); no authentication needed; only session cookie confidentiality impacted (C:L), no integrity or availability effect.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 11, 2026 - 13:16 vuln.today

DescriptionCVE.org

A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is considered difficult. The reported GitHub issue was closed with the label "not planned".

AnalysisAI

OIDC session cookie exposure in TwiN gatus 5.36.0 allows network-positioned attackers to intercept authentication tokens because the setSessionCookie function in security/oidc.go sets session cookies without the Secure attribute, permitting transmission over unencrypted HTTP connections. Only deployments with OIDC authentication enabled are affected, and exploitation requires high attack complexity due to mandatory network interception positioning. No public exploit code has been identified; the upstream maintainer has closed the associated GitHub issue (#1689) as 'not planned', meaning no vendor patch will be released.

Technical ContextAI

CWE-614 (Sensitive Cookie Without 'Secure' Attribute) describes a class of flaw where HTTP cookies are issued by the server without the Secure flag set. Browsers enforce this flag by refusing to send the cookie over non-TLS (plain HTTP) connections; its absence allows the session token to leak on any unencrypted request. TwiN gatus is an open-source health and uptime monitoring dashboard written in Go. The affected code path is the setSessionCookie function within security/oidc.go, the component responsible for establishing a browser session after a successful OpenID Connect authentication flow. The OIDC integration is an optional feature; the vulnerable code is only exercised when OIDC is configured. CPE cpe:2.3:a:twin:gatus:*:*:*:*:*:*:*:* indicates the flaw may exist across all versions of the twin/gatus application, though the description specifically names 5.36.0 as the confirmed reference point.

RemediationAI

No vendor-released patch has been identified at time of analysis; the upstream GitHub issue (https://github.com/TwiN/gatus/issues/1689) was explicitly closed with the label 'not planned', confirming the maintainer will not address this. The primary compensating control is to enforce HTTPS exclusively for all Gatus deployments by configuring a reverse proxy (e.g., nginx, Caddy, Traefik) to redirect all HTTP traffic to HTTPS and set HSTS headers, which prevents the session cookie from ever traveling over an unencrypted channel and fully neutralizes this attack vector. Organizations with Go build capability may patch security/oidc.go directly by adding Secure: true to the http.Cookie struct in setSessionCookie; this is a low-risk, one-line change. Network segmentation that blocks public HTTP access to Gatus instances is an additional defensive layer with no functional trade-offs for internal deployments. Disabling OIDC authentication entirely (if not required) removes the vulnerable code path from the attack surface.

Share

CVE-2026-11956 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy