CVE-2026-35095 | KTM System e-BOK allows the session identifier to be set by … | CVSS 4.8 MEDIUM

Description

KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with a valid name is set, its value remains unchanged after successful login. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in the patch published in June 2026.

Metadata

CVE ID: CVE-2026-35095
State: PUBLISHED
Assigner: CERT-PL
Reserved: 2026-04-01 13:05 UTC
Published: 2026-06-30 13:37 UTC
Last updated: 2026-06-30 14:42 UTC
Primary CWE: CWE-384
CWE-384: Session Fixation
Vendor / Product: KTM System / e-BOK
Sources: cve.org · NVD

Severity & Metrics

4.8 MEDIUM CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
KTM System	e-BOK	—	0 < 06.2026

Weakness (CWE)

CWE	Source	Description
CWE-384	cna	CWE-384: Session Fixation

CVSS scores (1)

Score	Severity	Version	Source	Vector
4.8	MEDIUM	4.0	cna	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References (2)