Skip to main content

Datalore CVE-2026-32745

| EUVDEUVD-2026-12045 MEDIUM
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CWE-614)
2026-03-13 JetBrains
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2026.1
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-12045
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 15:50 nvd
MEDIUM 6.3

DescriptionCVE.org

In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings

AnalysisAI

JetBrains Datalore versions before 2026.1 contain a session hijacking vulnerability (CVE-2026-32745) caused by missing secure attribute configuration on session cookies, allowing attackers on the same network to intercept and reuse session tokens. The vulnerability affects all Datalore versions prior to 2026.1 and requires adjacent network access combined with user interaction; while the CVSS score is moderate (6.3), the impact is high for confidentiality and enables unauthorized account access.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment The CVSS:3.1 vector (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N) indicates moderate overall severity but notable practical constraints: attack vector is Adjacent (local network only), which significantly limits widespread exploitation compared to network-accessible vulnerabilities. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker positioned on the same local network (corporate WiFi, shared office network, or compromised router) performs passive network sniffing using tools like tcpdump or Wireshark. When a legitimate Datalore user initiates an HTTP (non-HTTPS) connection or when the application transmits session cookies without the Secure flag, the attacker captures the session cookie in cleartext. …
Remediation Upgrade JetBrains Datalore to version 2026.1 or later (https://www.jetbrains.com/privacy-security/issues-fixed/) Mitigation (Pre-Patch): Enforce HTTPS-only connections to Datalore instances via reverse proxy (nginx/Apache with HSTS header 'Strict-Transport-Security: max-age=31536000; includeSubDomains') Mitigation (Pre-Patch): Restrict network access to Datalore instances using firewall rules to trusted networks only, reducing attack surface to adjacent network threat actors Mitigation (Pre-Patch): Implement VPN or network segmentation to isolate Datalore deployment from untrusted network segments Detection: Monitor HTTP access logs for unencrypted session cookie transmission; implement network IDS rules to detect cookie interception patterns on local network segments Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems running JetBrains Datalore and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-32745 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy