ntopng through 6.6 is vulnerable to Predictable Session Identifier which can lead to Session Hijacking. HTTP session identifiers in src/HTTPserver.cpp use weak time-seeded pseudo-randomness during session creation. As a result, fresh authenticated logins can receive deterministic or colliding session cookies under attacker-controlled timing.
History

Mon, 06 Jul 2026 20:00:00 +0000

Type Values Removed Values Added
Title Predictable HTTP Session Identifier in ntopng 6.6 Allows Session Hijacking
Weaknesses CWE-330

Mon, 06 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-341
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Title Predictable Session Identifier Leading to Session Hijacking in ntopng
Weaknesses CWE-330

Mon, 06 Jul 2026 02:45:00 +0000

Type Values Removed Values Added
Title Predictable Session Identifier Leading to Session Hijacking in ntopng
Weaknesses CWE-330

Sun, 05 Jul 2026 13:00:00 +0000

Type Values Removed Values Added
Title Predictable Session Identifier in ntopng 6.6 Enables Session Hijacking
Weaknesses CWE-330

Sat, 04 Jul 2026 21:15:00 +0000

Type Values Removed Values Added
Title Predictable Session Identifier in ntopng 6.6 Enables Session Hijacking
Weaknesses CWE-330

Sat, 04 Jul 2026 10:45:00 +0000

Type Values Removed Values Added
Title Predictable session identifiers allow session hijacking in ntopng
Weaknesses CWE-613

Sat, 04 Jul 2026 02:45:00 +0000

Type Values Removed Values Added
Title Predictable session identifiers allow session hijacking in ntopng
Weaknesses CWE-613

Fri, 03 Jul 2026 18:45:00 +0000

Type Values Removed Values Added
Title Predictable Session Identifiers Permit Session Hijacking in ntopng 6.6
Weaknesses CWE-613

Fri, 03 Jul 2026 04:00:00 +0000

Type Values Removed Values Added
Title Predictable Session Identifiers Permit Session Hijacking in ntopng 6.6
Weaknesses CWE-613

Thu, 02 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Ntop
Ntop ntopng
Vendors & Products Ntop
Ntop ntopng

Thu, 02 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Description ntopng through 6.6 is vulnerable to Predictable Session Identifier which can lead to Session Hijacking. HTTP session identifiers in src/HTTPserver.cpp use weak time-seeded pseudo-randomness during session creation. As a result, fresh authenticated logins can receive deterministic or colliding session cookies under attacker-controlled timing.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-07-02T00:00:00.000Z

Updated: 2026-07-06T17:16:49.092Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38968

cve-icon Vulnrichment

Updated: 2026-07-06T17:15:55.314Z

cve-icon NVD

No data.

cve-icon Redhat

No data.