Apache Wicket versions 8.0.0 through 8.17.0, 9.0.0, and 10.0.0 through 10.8.0 allow an attacker to perform a session fixation attack by exploiting a missing invocation of the Servlet method changeSessionId after a session is bound. This flaw permits an attacker to set or reuse a session identifier before the user authenticates and then force the application to accept that session ID, effectively hijacking the legitimate user’s session. The vulnerability arises from improper session management (CWE-384) and can lead to unauthorized access to resources that rely on authenticated sessions.

Products affected are Apache Wicket versions 8.0.0-8.17.0, 9.0.0, and 10.0.0-10.8.0. Affected installations include any environment that deploys these Wicket versions without the patch applied in 10.9.0.

The CVSS score is 9.1 and the EPSS score is <1%, and the vulnerability is listed as not in CISA KEV. Given the nature of session fixation, an attacker with access to client traffic or the ability to modify the request before authentication could exploit the flaw, resulting in unauthorized session takeover. The EPSS score of <1% indicates a low probability of exploitation in the wild, but the high CVSS score of 9.1 shows substantial potential impact if exploited; remediation is strongly recommended. The attack vector is inferred to be through crafted HTTP requests that set a session ID before login.