CVE-2026-25101 PUBLISHED

Session Fixation in Bludit

Assigner: CERT-PL
Reserved: 29.01.2026 Published: 27.03.2026 Updated: 27.03.2026

Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behavior enables an attacker to fix a session ID for a victim and later hijack the authenticated session.

This issue was fixed in version 3.17.2.

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 4.8

Product Status

Vendor Bludit
Product Bludit
Versions Default: unaffected
  • affected from 0 to 3.17.2 (excl.)

Credits

  • Arkadiusz Marta finder

References

Problem Types

  • CWE-384 Session Fixation CWE

Impacts

  • CAPEC-61 Session Fixation