CVE-2026-27933 - Vulnerability Details

- Manyfold vulnerable to session hijack via cookie leakage in proxy caches

Description

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Versions prior to 0.133.0 are vulnerable to session hijack via cookie leakage in proxy caches. Version 0.133.0 fixes the issue.

Published: 2026-02-25

Score: 6.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Manyfold is an open‑source web application for managing 3D models. Versions prior to 0.133.0 allow an attacker to hijack a user session because authentication cookies are written to proxy cache entries that are shared among clients. The vulnerability is a session cookie leakage problem, classified as CWE‑613, enabling an attacker to impersonate an authenticated user and gain unauthorized access to the application and potentially its underlying data.

Affected Systems

The affected product is Manyfold 3D, the self‑hosted web application from manyfold3d. All releases earlier than 0.133.0 are vulnerable; the fix was released in version 0.133.0. Users running any of these prior versions are susceptible. No other vendor or product is listed.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity, but the EPSS score of less than 1% suggests that real‑world exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog, highlighting its low exploitation footprint. An attacker would need to send or intercept responses through a shared proxy cache that stores session cookies, or target a tenant in a multitenant environment exposed behind such a cache. If successful, the attacker could impersonate a legitimate user and access sensitive data or perform actions on behalf of that user.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

manyfold3d

manyfold

affected

Version	Status	Constraints
`< 0.133.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:manyfold:manyfold:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Manyfold3d

Manyfold

100%

Version	Status	Scheme	Platform
`[0,0.133.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Manyfold to version 0.133.0 or later. This release includes the fix for session cookie leakage.
Configure any reverse proxies, CDN, or caching layers to prevent the storage of session cookies. This can be done by setting appropriate Cache‑Control headers, disabling caching for authenticated traffic, or marking the session cookie with the Secure and SameSite attributes so it is not cached.
Enable the Secure, HttpOnly, and SameSite cookie flags in Manyfold’s configuration. Additionally, monitor log files for unusual or unauthorized session activity and consider implementing IP whitelisting or two‑factor authentication for highly privileged accounts.

Generated by OpenCVE AI on April 17, 2026 at 14:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00048.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/manyfold3d/manyfold/releases/tag/v0.133.0
https://github.com/manyfold3d/manyfold/security/advisories/GHSA-g949-hmvj-2r76

History

Fri, 27 Feb 2026 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Manyfold Manyfold manyfold
CPEs		cpe:2.3:a:manyfold:manyfold::::::::
Vendors & Products		Manyfold Manyfold manyfold

Thu, 26 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 26 Feb 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Manyfold3d Manyfold3d manyfold
Vendors & Products		Manyfold3d Manyfold3d manyfold

Wed, 25 Feb 2026 23:30:00 +0000

Type	Values Removed	Values Added
Description		Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Versions prior to 0.133.0 are vulnerable to session hijack via cookie leakage in proxy caches. Version 0.133.0 fixes the issue.
Title		Manyfold vulnerable to session hijack via cookie leakage in proxy caches
Weaknesses		CWE-613
References		https://github.com/manyfold3d/manyfold/releases/tag/v0.133.0 https://github.com/manyfold3d/manyfold/security/advisories/GHSA-g949-hmvj-2r76
Metrics		cvssV3_1 `{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}`

Subscriptions

Manyfold Manyfold

Manyfold3d Manyfold

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-25T23:16:01.572Z

Updated: 2026-02-26T16:45:33.523Z

Reserved: 2026-02-25T03:11:36.688Z

Link: CVE-2026-27933

Vulnrichment

Updated: 2026-02-26T16:45:27.724Z

NVD

Status : Analyzed

Published: 2026-02-26T00:16:26.973

Modified: 2026-02-27T17:27:19.060

Link: CVE-2026-27933

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T14:45:21Z

Weaknesses

CWE-613

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object