Severity by source
AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings
AnalysisAI
JetBrains Datalore versions before 2026.1 contain a session hijacking vulnerability (CVE-2026-32745) caused by missing secure attribute configuration on session cookies, allowing attackers on the same network to intercept and reuse session tokens. The vulnerability affects all Datalore versions prior to 2026.1 and requires adjacent network access combined with user interaction; while the CVSS score is moderate (6.3), the impact is high for confidentiality and enables unauthorized account access.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Vulnerability AssessmentAI
| Risk Assessment | The CVSS:3.1 vector (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) indicates moderate overall severity but notable practical constraints: attack vector is Adjacent (local network only), which significantly limits widespread exploitation compared to network-accessible vulnerabilities. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker positioned on the same local network (corporate WiFi, shared office network, or compromised router) performs passive network sniffing using tools like tcpdump or Wireshark. When a legitimate Datalore user initiates an HTTP (non-HTTPS) connection or when the application transmits session cookies without the Secure flag, the attacker captures the session cookie in cleartext. … |
| Remediation | Upgrade JetBrains Datalore to version 2026.1 or later (https://www.jetbrains.com/privacy-security/issues-fixed/) Mitigation (Pre-Patch): Enforce HTTPS-only connections to Datalore instances via reverse proxy (nginx/Apache with HSTS header 'Strict-Transport-Security: max-age=31536000; includeSubDomains') Mitigation (Pre-Patch): Restrict network access to Datalore instances using firewall rules to trusted networks only, reducing attack surface to adjacent network threat actors Mitigation (Pre-Patch): Implement VPN or network segmentation to isolate Datalore deployment from untrusted network segments Detection: Monitor HTTP access logs for unencrypted session cookie transmission; implement network IDS rules to detect cookie interception patterns on local network segments Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 30 days: Identify affected systems running JetBrains Datalore and apply vendor patches as part of regular patch cycle. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12045