Hydro (hydrooj) CVE-2026-55617
MEDIUMSeverity by source
AC:H reflects the prerequisite of obtaining a stale sid cookie; PR:N applies because no credential is needed at exploitation time; no availability impact is described.
Lifecycle Timeline
2DescriptionCVE.org
Impact
Hydro contains an insufficient session expiration vulnerability in its session recreation logic. When a session is recreated, including during logout or other session renewal flows, Hydro creates a new session token but does not delete the previous server-side session token.
As a result, an old sid cookie may remain valid even after the legitimate user logs out or the session is recreated. An attacker who has obtained a victim's previous sid cookie can replay that cookie over HTTP or HTTPS and continue to access the affected Hydro instance as the victim.
The attacker does not need the victim's username or password. Exploitation requires possession of a previously valid stale sid cookie, but no user interaction is required at exploitation time.
Successful exploitation may allow account takeover within the affected Hydro instance. For a normal user account, this may allow disclosure of private data and unauthorized modification or deletion of data available to the victim.
Patches
The issue has been patched by deleting the old server-side session token before creating a new one during session recreation.
Patched in:
- Pull request: https://github.com/hydro-dev/Hydro/pull/1173
- Patch commit: https://github.com/hydro-dev/Hydro/commit/8450390fcce5f7dc3f11c43a14f1d76dbb949a0d
- Merge commit: https://github.com/hydro-dev/Hydro/commit/8d76be8f0b83d911bf7671962b0467e9d4b5719a
Users should upgrade to a version containing this patch.
Workarounds
If upgrading immediately is not possible, administrators should reduce the risk by forcing all existing sessions to expire or by clearing the server-side session token store after applying a local patch.
Administrators should also review logs for suspicious use of stale sid cookies and rotate any exposed session cookies. However, these mitigations do not fully fix the vulnerability. The recommended remediation is to upgrade to a patched version.
AnalysisAI
Session replay attacks against Hydro competitive programming judge instances become viable because logout and session renewal flows create new tokens without invalidating the previous server-side session. An attacker who has captured a victim's stale sid cookie - via network interception, browser theft, or prior session compromise - can replay that cookie over HTTP or HTTPS at any point after logout and retain full authenticated access as the victim. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker has previously obtained a valid sid session cookie from the victim - for example via network interception (especially on HTTP deployments), cross-site scripting, browser-level theft, or access to HTTP logs. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS score or EPSS data was provided in the intelligence sources, so quantitative risk signals are unavailable and must be assessed independently. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the same network as a Hydro user intercepts the victim's sid cookie during an authenticated session over an HTTP (non-TLS) connection. The victim subsequently logs out of Hydro. … |
| Remediation | The primary remediation is to upgrade hydrooj to version 5.0.2 or later, which contains the fix that calls token.del() on the previous session _id before creating a new session during recreation (patch commit: https://github.com/hydro-dev/Hydro/commit/8450390fcce5f7dc3f11c43a14f1d76dbb949a0d). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-94jp-7776-qj6q