CVE 9.1 CRITICAL

Apache Wicket: possible session fixation using AuthenticatedWebSession_CVE-2026-40010

May 7, 2026 invoker category_cve

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket.

This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0.

Users are recommended to upgrade to version 10.9.0, which fixes the issue.

AI Analysis

Session fixation vulnerability in Apache Wicket via missing invocation of Servlet http web request method changeSessionId after session binding

Basic Information

ID CVE-2026-40010

Source apache

Published May 6, 2026 at 08:34

Modified May 7, 2026 at 12:19

Affected Product

Vendor Apache Software Foundation

Product Apache Wicket

Version 10.0.0

Affected Versions Apache Software Foundation Apache Wicket 10.0.0
Apache Software Foundation Apache Wicket 8.0.0
Apache Software Foundation Apache Wicket 9.0.0

CWE Classification

CWE-384

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor Apache Software Foundation

Product Apache Wicket

Version 8.0.0-8.17.0, 9.0.0, 10.0.0-10.8.0

References

lists.apache.org /thread/61wsc0xdtfd5oozojfx7by9w3jwgkmv1

{
    "lastseen": "",
    "description": "Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket.\n\nThis issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0.\n\nUsers are recommended to upgrade to version 10.9.0, which fixes the issue.",
    "published": "2026-05-06T08:34:30.480Z",
    "modified": "2026-05-07T12:19:50.120Z",
    "type": "cve",
    "title": "Apache Wicket: possible session fixation using AuthenticatedWebSession",
    "source": "apache",
    "references": "https://lists.apache.org/thread/61wsc0xdtfd5oozojfx7by9w3jwgkmv1",
    "id": "CVE-2026-40010",
    "bulletinFamily": "",
    "cwe": [
        "CWE-384"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Wicket 10.0.0\nApache Software Foundation Apache Wicket 8.0.0\nApache Software Foundation Apache Wicket 9.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Wicket",
    "version": "10.0.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "Session fixation vulnerability in Apache Wicket via missing invocation of Servlet http web request method changeSessionId after session binding",
    "ai_severity": "Critical",
    "ai_vendor": "Apache Software Foundation",
    "ai_product": "Apache Wicket",
    "ai_version": "8.0.0-8.17.0, 9.0.0, 10.0.0-10.8.0",
    "ai_score": 9.1
}

💭 Join the Security Discussion ❌ Cancel Reply