Skip to main content

Pinpoint APM CVE-2026-57948

| EUVDEUVD-2026-40165 HIGH
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CWE-614)
2026-06-29 disclosure@vulncheck.com GHSA-f4g5-7fg3-8rw6
7.6
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.8 MEDIUM

Network-reachable but exploitation is gated on a secondary XSS or cleartext-sniffing condition (AC:H) and an interacting authenticated victim (UI:R); stolen JWT yields session takeover (C:H/I:H, A:N).

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 18:33 vuln.today

DescriptionCVE.org

Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or intercept it through network sniffing to perform session hijacking.

AnalysisAI

Session hijacking in Pinpoint (open-source APM) through version 3.1.0 stems from the pinpointJwt session cookie being issued without the HttpOnly and Secure flags, letting client-side JavaScript read it via document.cookie and allowing it to traverse cleartext HTTP. An attacker who can land a stored or reflected XSS payload, or who can sniff network traffic, can steal the JWT session token and impersonate the victim. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify HTTP-served or XSS-prone Pinpoint instance
Delivery
Plant stored XSS or position on network
Exploit
Victim operator loads dashboard
Execution
Read pinpointJwt via document.cookie or sniff cleartext
Persist
Exfiltrate JWT to attacker
Impact
Replay token to hijack authenticated session

Vulnerability AssessmentAI

Exploitation Exploitation requires one of two concrete preconditions because the cookie flaw is not self-triggering: (1) a usable cross-site scripting vulnerability - stored or reflected - within the Pinpoint web application that runs attacker JavaScript in a victim's session to read the pinpointJwt cookie via document.cookie; or (2) an attacker-controlled or shared network path where the Pinpoint UI is reached over cleartext HTTP, permitting traffic interception of the cookie (the missing Secure attribute allows the cookie to be sent without TLS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N) frames this as network-reachable, unauthenticated, but high-complexity with passive user interaction and high confidentiality/integrity impact - accurate, because exploitation is not self-contained: it requires either a separate XSS vulnerability in the app or an attacker-controlled network path carrying cleartext HTTP. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker plants a stored XSS payload in a Pinpoint field rendered in the dashboard; when an operator views it, the script reads document.cookie and ships the pinpointJwt token to the attacker, who replays it to take over the authenticated session. Alternatively, on a Pinpoint instance served over HTTP, an attacker on the same network captures the cookie in transit via passive sniffing. …
Remediation No vendor-released patch version is identified at time of analysis; the only references are an upstream GitHub issue (https://github.com/pinpoint-apm/pinpoint/issues/13858) and the VulnCheck advisory (https://www.vulncheck.com/advisories/pinpoint-insecure-session-cookie-attributes-in-pinpointjwt), so monitor those for a tagged release and upgrade once available. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Pinpoint deployments to identify instances running version 3.1.0 or earlier; enforce HTTPS-only access and restrict console connectivity to authorized networks via firewall rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57948 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy