Skip to main content

Hydro (hydrooj) CVE-2026-55617

MEDIUM
Insufficient Session Expiration (CWE-613)
2026-06-18 https://github.com/hydro-dev/Hydro GHSA-94jp-7776-qj6q
Share

Severity by source

vuln.today AI
7.4 HIGH

AC:H reflects the prerequisite of obtaining a stale sid cookie; PR:N applies because no credential is needed at exploitation time; no availability impact is described.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 14:08 vuln.today
Analysis Generated
Jun 18, 2026 - 14:08 vuln.today

DescriptionCVE.org

Impact

Hydro contains an insufficient session expiration vulnerability in its session recreation logic. When a session is recreated, including during logout or other session renewal flows, Hydro creates a new session token but does not delete the previous server-side session token.

As a result, an old sid cookie may remain valid even after the legitimate user logs out or the session is recreated. An attacker who has obtained a victim's previous sid cookie can replay that cookie over HTTP or HTTPS and continue to access the affected Hydro instance as the victim.

The attacker does not need the victim's username or password. Exploitation requires possession of a previously valid stale sid cookie, but no user interaction is required at exploitation time.

Successful exploitation may allow account takeover within the affected Hydro instance. For a normal user account, this may allow disclosure of private data and unauthorized modification or deletion of data available to the victim.

Patches

The issue has been patched by deleting the old server-side session token before creating a new one during session recreation.

Patched in:

  • Pull request: https://github.com/hydro-dev/Hydro/pull/1173
  • Patch commit: https://github.com/hydro-dev/Hydro/commit/8450390fcce5f7dc3f11c43a14f1d76dbb949a0d
  • Merge commit: https://github.com/hydro-dev/Hydro/commit/8d76be8f0b83d911bf7671962b0467e9d4b5719a

Users should upgrade to a version containing this patch.

Workarounds

If upgrading immediately is not possible, administrators should reduce the risk by forcing all existing sessions to expire or by clearing the server-side session token store after applying a local patch.

Administrators should also review logs for suspicious use of stale sid cookies and rotate any exposed session cookies. However, these mitigations do not fully fix the vulnerability. The recommended remediation is to upgrade to a patched version.

AnalysisAI

Session replay attacks against Hydro competitive programming judge instances become viable because logout and session renewal flows create new tokens without invalidating the previous server-side session. An attacker who has captured a victim's stale sid cookie - via network interception, browser theft, or prior session compromise - can replay that cookie over HTTP or HTTPS at any point after logout and retain full authenticated access as the victim. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Capture victim sid cookie via interception or theft
Delivery
Victim logs out, unaware old session remains valid
Exploit
Replay stale sid cookie over HTTP or HTTPS
Execution
Server accepts stale session as authenticated
Impact
Access victim account data and perform unauthorized actions

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker has previously obtained a valid sid session cookie from the victim - for example via network interception (especially on HTTP deployments), cross-site scripting, browser-level theft, or access to HTTP logs. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score or EPSS data was provided in the intelligence sources, so quantitative risk signals are unavailable and must be assessed independently. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same network as a Hydro user intercepts the victim's sid cookie during an authenticated session over an HTTP (non-TLS) connection. The victim subsequently logs out of Hydro. …
Remediation The primary remediation is to upgrade hydrooj to version 5.0.2 or later, which contains the fix that calls token.del() on the previous session _id before creating a new session during recreation (patch commit: https://github.com/hydro-dev/Hydro/commit/8450390fcce5f7dc3f11c43a14f1d76dbb949a0d). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55617 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy