CVE-2026-0696 - Vulnerability Details

- Session Cookies Missing HttpOnly Attribute

Description

In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values.

Published: 2026-01-16

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In ConnectWise PSA versions older than 2026.1, session cookies are set without the HttpOnly flag, allowing any script that runs on the client side to read the cookie contents. If an attacker can inject or execute JavaScript—through a separate XSS vulnerability or by delivering a malicious file—he may obtain the session identifier and impersonate the authenticated user, leading to unauthorized access or exposure of data.

Affected Systems

The vulnerability affects ConnectWise Professional Service Automation for both cloud‑hosted and on‑premise deployments. Any instance running a version earlier than 2026.1 is at risk; the fix is included in the 2026.1 release and later.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at the time of this analysis. The weakness is not listed in the CISA KEV catalog. Exploitation would require the attacker first be able to run JavaScript on the client; this typically means compromising the application through an XSS flaw or delivering a malicious file—a requirement that is inferred from the description rather than directly stated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ConnectWise

PSA

unaffected

Version	Status	Constraints
`All versions prior to 2026.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:connectwise:professional_service_automation:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Connectwise	Psa	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Cloud Cloud instances are automatically being updated to the latest ConnectWise PSA release. On-premise Apply the 2026.1 release patches and ensure all desktop clients are up to date.

OpenCVE Recommended Actions

Upgrade all on‑premise installations to ConnectWise PSA 2026.1 or newer.
Ensure cloud‑hosted instances have automatic updates enabled to receive the 2026.1 fix promptly.
Deploy a Content Security Policy that blocks inline scripts and restricts untrusted JavaScript execution to mitigate XSS vectors.
Implement server‑side input validation and output encoding to reduce the risk of script injection.
Configure session cookies to include the HttpOnly and Secure attributes whenever possible.

Generated by OpenCVE AI on April 18, 2026 at 19:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00016.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix
https://www.themissinglink.com.au/security-advisories/cve-2026-0696

History

Tue, 27 Jan 2026 12:30:00 +0000

Type	Values Removed	Values Added
References		https://www.themissinglink.com.au/security-advisories/cve-2026-0696

Fri, 23 Jan 2026 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Connectwise professional Service Automation
CPEs		cpe:2.3:a:connectwise:professional_service_automation::::::::
Vendors & Products		Connectwise professional Service Automation

Mon, 19 Jan 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Connectwise Connectwise psa
Vendors & Products		Connectwise Connectwise psa

Fri, 16 Jan 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 16 Jan 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values.
Title		Session Cookies Missing HttpOnly Attribute
Weaknesses		CWE-1004
References		https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}`

Subscriptions

Connectwise Professional Service Automation Psa

MITRE

Status: PUBLISHED

Assigner: ConnectWise

Published: 2026-01-16T13:34:49.042Z

Updated: 2026-01-27T12:14:05.158Z

Reserved: 2026-01-07T21:32:00.544Z

Link: CVE-2026-0696

Vulnrichment

Updated: 2026-01-16T14:07:01.298Z

NVD

Status : Modified

Published: 2026-01-16T14:15:54.940

Modified: 2026-01-27T13:15:54.403

Link: CVE-2026-0696

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T19:15:10Z

Weaknesses

CWE-1004

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object