| Title | TwiN gatus 5.36.0 Sensitive Cookie Without Secure Attribute |
|---|
| Description | Gatus — OIDC Session Cookie Missing HttpOnly and Secure Flags
## Summary
Gatus sets the persistent OIDC session cookie without the `HttpOnly` or `Secure` flags. This makes the session ID readable by JavaScript and transmittable over plaintext HTTP. The bug is inconsistent with the same file's handling of the temporary state and nonce cookies, which both explicitly set `HTTPOnly: true`.
---
## Vulnerable Code
**File:** `security/oidc.go:139-150`
```go
func (c *OIDCConfig) setSessionCookie(w http.ResponseWriter, idToken *oidc.IDToken) {
sessionID := uuid.NewString()
sessions.SetWithTTL(sessionID, idToken.Subject, c.SessionTTL)
http.SetCookie(w, &http.Cookie{
Name: cookieNameSession,
Value: sessionID,
Path: "/",
MaxAge: int(c.SessionTTL.Seconds()),
SameSite: http.SameSiteStrictMode,
// Missing: HttpOnly: true
// Missing: Secure: true
})
}
```
Compare with the state and nonce cookies set during login — same file, explicit flags:
```go
ctx.Cookie(&fiber.Cookie{
Name: cookieNameState,
...
SameSite: "lax",
HTTPOnly: true, // ← present on less-sensitive cookie
})
```
---
## Impact
**Missing `HttpOnly`:** Any JavaScript executing in the Gatus origin (e.g., via a future XSS) can read `document.cookie` and extract the session ID.
**Missing `Secure`:** If the Gatus instance is reachable over HTTP, or if an attacker performs a protocol-downgrade (e.g., SSLstrip), the session cookie is included in cleartext HTTP requests, exposing it to network observation.
The session cookie is the only credential required to access the protected dashboard endpoints (`/v1/endpoints/statuses`, etc.). Default TTL is 8 hours.
---
## Attack Scenario
1. **HTTP interception:** Gatus is deployed on an internal network accessible over plain HTTP (common for monitoring tools). An attacker on the same LAN observes a login request and captures the session cookie from the HTTP response or subsequent requests.
2. Attacker replays the session cookie to access the full dashboard and read internal service endpoint names, URLs, health check results, and credentials embedded in configured alert integrations.
---
## CVSS 3.1
```
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Score: 3.1 (Low)
```
- **AC:H** — requires HTTP interception or separate XSS to exploit.
- **C:L** — session ID exposure enabling dashboard access.
--- |
|---|
| Source | ⚠️ https://github.com/TwiN/gatus |
|---|
| User | geochen (UID 78995) |
|---|
| Submission | 05/24/2026 04:33 (19 days ago) |
|---|
| Moderation | 06/11/2026 08:56 (18 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 370343 [TwiN gatus 5.36.0 OIDC Session Cookie security/oidc.go setSessionCookie missing secure attribute] |
|---|
| Points | 19 |
|---|