GHSA-qpjw-p3jg-59j6
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 5 maven packages depend on org.apache.wicket:wicket-auth-roles (4 direct, 1 indirect)
Ecosystem-wide dependent count for version 8.0.0-M1.
Description PRE-NVD
AnalysisAI
Session fixation in Apache Wicket AuthenticatedWebSession allows remote unauthenticated attackers to hijack user sessions and escalate privileges by fixing session identifiers before authentication completes. Affects Wicket 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite critical CVSS 9.1, suggesting this requires specific deployment conditions. Not listed in CISA KEV; no public POC identified at time of analysis. Apache has published vendor advisories with fix versions across all three major release branches.
Technical ContextAI
Apache Wicket is a component-based Java web application framework. CWE-384 (Session Fixation) occurs when an application accepts externally-supplied session identifiers without regenerating them upon authentication state changes. The AuthenticatedWebSession class in Wicket manages user authentication state across HTTP requests. Session fixation exploits this by having an attacker pre-establish a session ID, trick a victim into authenticating with that fixed ID, then use the now-authenticated session to impersonate the victim. The vulnerability exists across three major Wicket release branches (8.x, 9.x, 10.x), affecting products using CPE identifiers cpe:2.3:a:apache:wicket for versions 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0. This architectural flaw in session lifecycle management violates OWASP ASVS requirements for session token regeneration on authentication events.
RemediationAI
Upgrade Apache Wicket to patched versions: 8.18.0 or later for the 8.x branch, 9.23.0 or later for the 9.x branch, or 10.9.0 or later for the 10.x branch. Consult the Apache security advisory at https://lists.apache.org/thread/61wsc0xdtfd5oozojfx7by9w3jwgkmv1 for exact fix versions and migration guidance. If immediate patching is not feasible, implement compensating controls: explicitly regenerate session identifiers upon successful authentication by calling Session.get().replaceSession() in authentication success handlers before granting authenticated access; enforce strict session cookie attributes (Secure, HttpOnly, SameSite=Strict) to limit session ID leakage; implement short session timeouts pre-authentication to reduce the window for fixation attacks; and monitor for suspicious patterns such as session IDs reused across authentication boundaries or session upgrades from unauthenticated to authenticated states without ID regeneration. Note that workarounds add application logic complexity and may impact performance under high authentication loads; vendor-released patches remain the definitive remediation. Review application logs for anomalous session reuse patterns that might indicate historical exploitation attempts.
More in Session Fixation
View allSession fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID pa
Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session
Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerabi
A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login
Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated criti
An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to exe
A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to ex
Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. Rated critical severity (CVSS 9.8), this vulnerab
Certain NetModule devices allow Limited Session Fixation via PHPSESSID. Rated critical severity (CVSS 9.8), this vulnera
An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated critical severity (CVSS 9.8), this v
clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests be
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s
Same weakness CWE-384 – Session Fixation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27554