Description
In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings
Published: 2026-03-13
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Session Hijacking
Action: Patch Upgrade
AI Analysis

Impact

The vulnerability allows an attacker to hijack user sessions by exploiting an insecure cookie configuration. Because the cookie set by JetBrains Datalore lacks the Secure flag, it can be transmitted over non‑HTTPS connections and may be captured or forged. An attacker who obtains a valid session cookie can impersonate a user and gain unauthorized access to the Datalore workspace, exposing sensitive data and potentially enabling further attacks. The weakness is represented by CWE‑319 and CWE‑614.

Affected Systems

JetBrains Datalore products before release 2026.1 are affected. All installations that use the default unsecured cookie setting are at risk; no specific sub‑version details are provided beyond the pre‑2026.1 timeframe.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity. The EPSS score is less than 1%, suggesting a low likelihood of exploitation in the short term, though the impact remains serious if the flaw is used. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only the ability to read or modify cookie values, which can be achieved by intercepting traffic over HTTP or via cross‑site scripting. Thus the primary attack vector is inferred to be remote over unsecured connections, potentially in environments where the Datalore server is reachable via HTTP.

Generated by OpenCVE AI on April 2, 2026 at 17:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Datalore upgrade to version 2026.1 or later, which sets the Secure flag on session cookies.
  • If upgrading is not possible immediately, manually configure the web server to set the Secure attribute on the session cookie for Datalore.
  • Ensure that all user traffic to Datalore is served over HTTPS to prevent cookie interception.
  • Monitor access logs for anomalous session activity and consider implementing additional session timeout or integrity checks.

Generated by OpenCVE AI on April 2, 2026 at 17:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title JetBrains Datalore Session Hijacking via Insecure Cookie

Thu, 02 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-319
CPEs cpe:2.3:a:jetbrains:datalore:*:*:*:*:*:*:*:*

Mon, 23 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title JetBrains Datalore Session Hijacking via Insecure Cookie

Tue, 17 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Jetbrains
Jetbrains datalore
Vendors & Products Jetbrains
Jetbrains datalore

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings
Weaknesses CWE-614
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N'}

Subscriptions

Jetbrains Datalore
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-03-17T12:54:07.103Z

Reserved: 2026-03-13T15:48:07.191Z

Link: CVE-2026-32745

cve-icon Vulnrichment

Updated: 2026-03-16T17:07:17.829Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:55:09.983

Modified: 2026-04-02T14:55:21.807

Link: CVE-2026-32745

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:23:51Z

Weaknesses