Description
A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is considered difficult. The reported GitHub issue was closed with the label "not planned".
Published: 2026-06-11
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw occurs in TwiN gatus’s OIDC Session Cookie Handler, where the setSessionCookie routine does not set the Secure flag on session cookies. A cookie lacking this attribute can be transmitted over unencrypted channels, allowing an attacker with network visibility to intercept it and hijack a user’s authenticated session. The vulnerability is categorized as CWE‑1004 and CWE‑614 and can compromise confidentiality and integrity of sensitive data if an attacker steals session state.

Affected Systems

All installations of TwiN gatus version 5.36.0 are affected. The issue is present in the security/oidc.go component of that release. Future releases that include the secure flag fix are not impacted.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity risk. The exploit is remote and requires high complexity and is considered difficult to execute. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited current exploitation activity. Nonetheless, exposure of session cookies over insecure links remains a significant threat to authenticated sessions.

Generated by OpenCVE AI on June 11, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TwiN gatus to the latest supported release that applies the secure flag to OIDC session cookies.
  • If an upgrade cannot be performed immediately, modify the application’s cookie handling logic or use a reverse proxy to enforce the Secure attribute on all session cookies.
  • Configure the session cookies with a SameSite attribute (e.g., Lax or Strict) and appropriate domain and path restrictions to further mitigate session hijacking risks.

Generated by OpenCVE AI on June 11, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is considered difficult. The reported GitHub issue was closed with the label "not planned".
Title TwiN gatus OIDC Session Cookie oidc.go setSessionCookie missing secure attribute
First Time appeared Twin
Twin gatus
Weaknesses CWE-1004
CWE-614
CPEs cpe:2.3:a:twin:gatus:*:*:*:*:*:*:*:*
Vendors & Products Twin
Twin gatus
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:P/I:N/A:N/E:ND/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:R'}

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:R'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Twin Gatus
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-11T12:52:09.350Z

Reserved: 2026-06-11T06:55:17.414Z

Link: CVE-2026-11956

cve-icon Vulnrichment

Updated: 2026-06-11T12:51:55.338Z

cve-icon NVD

Status : Deferred

Published: 2026-06-11T13:16:32.237

Modified: 2026-06-11T14:42:54.153

Link: CVE-2026-11956

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T13:30:15Z

Weaknesses
  • CWE-1004

    Sensitive Cookie Without 'HttpOnly' Flag

  • CWE-614

    Sensitive Cookie in HTTPS Session Without 'Secure' Attribute