Home / Vulnerability Intelligence / CVE-2026-40010

CVE-2026-40010 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: May 6, 2026

Apache Wicket - Session Fixation

Published: May 6, 2026Updated: May 6, 2026Remote Exploitable

Overview

Apache Wicket 8.0.0 through 8.17.0, 9.0.0, and 10.0.0 through 10.8.0 contain a session fixation vulnerability caused by missing invocation of Servlet http web request method changeSessionId after session binding, letting attackers fixate user sessions, exploit requires victim session binding.

Severity & Score

Severity: Critical

CVSS Score: 9.1

Impact

Attackers can hijack user sessions by fixing session IDs, leading to unauthorized access.

Mitigation

Upgrade to version 10.9.0.

References

https://lists.apache.org/thread/61wsc0xdtfd5oozojfx7by9w3jwgkmv1
http://www.openwall.com/lists/oss-security/2026/05/06/1

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-40010
Severity: Critical
CVSS Score: 9.1
Type: broken_authentication
Status: confirmed

CWE

CWE-384

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N