ntopng through 6.6 is vulnerable to Predictable Session Identifier which can lead to Session Hijacking. HTTP session identifiers in src/HTTPserver.cpp use weak time-seeded pseudo-randomness during session creation. As a result, fresh authenticated logins can receive deterministic or colliding session cookies under attacker-controlled timing.

Project Subscriptions

Vendors Products
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Sat, 04 Jul 2026 02:45:00 +0000

Type Values Removed Values Added
Title Predictable session identifiers allow session hijacking in ntopng
Weaknesses CWE-613

Fri, 03 Jul 2026 18:45:00 +0000

Type Values Removed Values Added
Title Predictable Session Identifiers Permit Session Hijacking in ntopng 6.6
Weaknesses CWE-613

Fri, 03 Jul 2026 04:00:00 +0000

Type Values Removed Values Added
Title Predictable Session Identifiers Permit Session Hijacking in ntopng 6.6
Weaknesses CWE-613

Thu, 02 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Ntop
Ntop ntopng
Vendors & Products Ntop
Ntop ntopng

Thu, 02 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Description ntopng through 6.6 is vulnerable to Predictable Session Identifier which can lead to Session Hijacking. HTTP session identifiers in src/HTTPserver.cpp use weak time-seeded pseudo-randomness during session creation. As a result, fresh authenticated logins can receive deterministic or colliding session cookies under attacker-controlled timing.
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-07-02T20:35:47.923Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38968

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-04T02:30:04Z

Weaknesses