CVE-2026-0696 in PSA
Summary
by MITRE • 01/16/2026
In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/24/2026
The vulnerability identified as CVE-2026-0696 affects ConnectWise PSA versions prior to 2026.1 and represents a critical security flaw in session management practices. This issue stems from the improper configuration of session cookies that lack the HttpOnly attribute, creating a pathway for malicious client-side scripts to access sensitive session information. The vulnerability falls under the category of insufficient session cookie protection mechanisms, which is directly related to CWE-1004, a weakness that specifically addresses the absence of proper security flags in session management. The ConnectWise PSA platform serves as a comprehensive professional services automation solution that manages client relationships, project tracking, time and expense management, and resource allocation for service providers, making it a prime target for attackers seeking persistent access to enterprise environments.
The technical flaw manifests when session cookies are transmitted without the HttpOnly flag, which is a critical security measure designed to prevent cross-site scripting attacks by ensuring that cookies cannot be accessed through client-side scripts such as javascript. When this attribute is missing, malicious actors can leverage reflected or stored cross-site scripting vulnerabilities to execute scripts that read session cookie values from the document.cookie property. This exploitation allows attackers to hijack user sessions and gain unauthorized access to the ConnectWise PSA platform with the privileges of the compromised user. The vulnerability's impact is particularly severe because ConnectWise PSA systems often contain sensitive business data including client information, financial records, project details, and operational workflows that could be compromised through session hijacking.
The operational impact of this vulnerability extends beyond simple session theft, as it enables attackers to potentially escalate privileges and maintain persistent access to enterprise environments. Once an attacker obtains a valid session cookie, they can navigate the platform as the authenticated user, potentially accessing confidential client data, modifying project information, or manipulating resource allocations. This scenario aligns with ATT&CK technique T1566, which covers credential access through social engineering and malicious code, and T1078, which addresses valid accounts usage for persistence. The vulnerability creates a persistent threat vector that can be exploited across multiple user sessions and potentially across different user roles within the system, depending on the specific permissions granted to each account.
Organizations should immediately implement mitigations including updating to ConnectWise PSA version 2026.1 or later, which addresses this vulnerability through proper cookie configuration. Additionally, security teams should conduct comprehensive cookie security audits to ensure all session cookies are properly configured with the HttpOnly attribute, and implement additional protections such as Secure flag enforcement and SameSite attribute configuration. Network segmentation and monitoring solutions should be deployed to detect anomalous access patterns that might indicate session hijacking attempts. The implementation of web application firewalls and regular security scanning should also be considered as part of a comprehensive defense-in-depth strategy. Organizations should also review and update their incident response procedures to address potential session hijacking scenarios and ensure proper user account lifecycle management to minimize the impact of compromised credentials. This vulnerability highlights the critical importance of proper session management practices and adherence to security standards such as those outlined in OWASP Top 10 and NIST cybersecurity frameworks.