CVE-2026-0696 | THREATINT

Description

In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values.

PUBLISHED Reserved 2026-01-07 | Published 2026-01-16 | Updated 2026-01-27 | Assigner ConnectWise

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Problem types

CWE-1004 Sensitive Cookie Without 'HttpOnly' Flag

Product status

Default status

unaffected

All versions prior to 2026.1

affected

Credits

Petar Sever (The Missing Link) finder

References

www.connectwise.com/...bulletins/2026-01-15-psa-security-fix

www.themissinglink.com.au/security-advisories/cve-2026-0696

cve.org (CVE-2026-0696)

nvd.nist.gov (CVE-2026-0696)

Download JSON