Skip to main content

Gatus

1 CVEs product

Monthly

CVE-2026-11956 MEDIUM This Month

OIDC session cookie exposure in TwiN gatus 5.36.0 allows network-positioned attackers to intercept authentication tokens because the `setSessionCookie` function in `security/oidc.go` sets session cookies without the Secure attribute, permitting transmission over unencrypted HTTP connections. Only deployments with OIDC authentication enabled are affected, and exploitation requires high attack complexity due to mandatory network interception positioning. No public exploit code has been identified; the upstream maintainer has closed the associated GitHub issue (#1689) as 'not planned', meaning no vendor patch will be released.

Information Disclosure Gatus
NVD VulDB GitHub
CVSS 4.0
6.3
EPSS
0.0%
EPSS 0% CVSS 6.3
MEDIUM This Month

OIDC session cookie exposure in TwiN gatus 5.36.0 allows network-positioned attackers to intercept authentication tokens because the `setSessionCookie` function in `security/oidc.go` sets session cookies without the Secure attribute, permitting transmission over unencrypted HTTP connections. Only deployments with OIDC authentication enabled are affected, and exploitation requires high attack complexity due to mandatory network interception positioning. No public exploit code has been identified; the upstream maintainer has closed the associated GitHub issue (#1689) as 'not planned', meaning no vendor patch will be released.

Information Disclosure Gatus
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy