CVE-2026-23796 in Quick.Cart
Summary
by MITRE • 02/05/2026
Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/19/2026
This vulnerability in Quick.Cart represents a critical session management flaw that directly violates fundamental security principles governing web application authentication. The core issue stems from the application's improper handling of session identifiers where users can set their session ID before authentication occurs, and this identifier remains unchanged even after successful authentication. This behavior creates a predictable and exploitable condition that fundamentally undermines the security model of the application. The vulnerability falls under the category of session fixation attacks as defined by CWE-384, where an attacker can establish a known session identifier and later reuse it to gain unauthorized access to a victim's authenticated session. The flaw exists because the application fails to implement proper session regeneration mechanisms upon successful authentication, which is a fundamental requirement in secure session management practices.
The operational impact of this vulnerability is severe and directly enables session hijacking attacks that can result in complete unauthorized access to user accounts. An attacker who can predict or fix a session identifier for a victim can later return to the application with the same session ID and gain access to the victim's authenticated session without needing to know their credentials. This creates a persistent threat where the attacker can maintain access to the victim's account indefinitely until the session expires naturally or the application is restarted. The vulnerability is particularly dangerous because it allows for offline attacks where the attacker can prepare the session fixation in advance and execute the hijacking at a later time. This behavior enables the attacker to perform actions as the victim, potentially accessing sensitive data, modifying account settings, or conducting fraudulent transactions. The attack vector is relatively simple and does not require complex exploitation techniques, making it particularly dangerous in environments where session identifiers might be predictable or exposed through other means.
The lack of vendor response to this vulnerability is concerning as it suggests either inadequate security practices or potential knowledge gaps in the development team regarding proper session management. The vendor's failure to provide details about vulnerable versions or a timeline for remediation creates uncertainty for users who may be running affected versions. This vulnerability is particularly concerning when considering the ATT&CK framework's session management techniques, where adversaries can leverage session fixation to maintain access to compromised accounts. The fact that only version 6.7 was tested and confirmed as vulnerable does not provide assurance that other versions are safe, as similar issues could exist in different release branches. Organizations using Quick.Cart should immediately implement mitigations including immediate session regeneration upon authentication, proper session ID validation, and monitoring for suspicious session activity. The vulnerability highlights the critical importance of implementing proper session management protocols, including the use of secure random session identifiers, session regeneration after authentication, and the implementation of session timeout mechanisms. This issue demonstrates that even basic authentication flows require careful security consideration to prevent exploitation through session management flaws that can be easily remediated through proper implementation of established security best practices.