Description
EasyFlow .NET developed by Digiwin has a Session Fixation vulnerability. If unauthenticated remote attackers replace a specific session ID for a user, they can gain the user's privilege once the user logs in.
Published: 2026-06-22
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

EasyFlow .NET contains a session fixation flaw (CWE‑384) that lets an unauthenticated remote attacker replace a specific session ID for a legitimate user. When the victim subsequently logs in, the attacker can access the user’s privileged session, effectively hijacking the user’s identity. This vulnerability results in unauthorized access to user accounts and the data and actions they are permitted to perform.

Affected Systems

The vulnerability affects Digiwin EasyFlow .NET deployments running versions prior to 8.1.5. Any installation that has not applied the update released by Digiwin is vulnerable.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity, and the attack can be carried out from a remote network without authentication by manipulating HTTP headers or cookies. While no EPSS data is provided and the issue is not listed in KEV, the potential impact on confidentiality, integrity and availability warrants rapid remediation. Attackers can exploit the flaw by sending a crafted request that sets a known session ID for a target user, then waiting for the user to authenticate to gain that session. This makes the vulnerability easily exploitable in environments where session cookies are not regenerated after login.

Generated by OpenCVE AI on June 22, 2026 at 11:50 UTC.

Remediation

Vendor Solution

Update to version 8.1.5 or later.


OpenCVE Recommended Actions

  • Apply the Digiwin patch to update EasyFlow .NET to version 8.1.5 or later.
  • Configure the application to regenerate session identifiers immediately after successful authentication and reject any pre‑set or stale session IDs.
  • Enforce HTTPS for all traffic and set secure, HttpOnly flags on session cookies to reduce the risk of interception or tampering.

Generated by OpenCVE AI on June 22, 2026 at 11:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Digiwin
Digiwin easyflow .net
Vendors & Products Digiwin
Digiwin easyflow .net

Mon, 22 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description EasyFlow .NET developed by Digiwin has a Session Fixation vulnerability. If unauthenticated remote attackers replace a specific session ID for a user, they can gain the user's privilege once the user logs in.
Title Digiwin|EasyFlow .NET - Session Fixation
Weaknesses CWE-384
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Digiwin Easyflow .net
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-06-22T10:26:23.605Z

Reserved: 2026-06-18T06:51:13.798Z

Link: CVE-2026-12581

cve-icon Vulnrichment

Updated: 2026-06-22T10:26:18.313Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T13:00:11Z

Weaknesses