CVE-2026-11956— TwiN gatus OIDC Session Cookie oidc.go setSessionCookie missing secure attribute
Possible ATT&CK Techniques 1AI
T1530 · Data from Cloud StorageGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-11956
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
TwiN gatus OIDC Session Cookie oidc.go setSessionCookie missing secure attribute
Source: NVD (National Vulnerability Database)
Vulnerability Description
A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is considered difficult. The reported GitHub issue was closed with the label "not planned".
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
HTTPS会话中未设置’Secure’属性的敏感Cookie
Source: NVD (National Vulnerability Database)
Vulnerability Title
gatus 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
gatus是TwiN个人开发者的一个服务健康监控与告警工具。 gatus 5.36.0版本存在安全漏洞,该漏洞源于OIDC会话Cookie处理器的setSessionCookie函数中,执行操作可能导致敏感Cookie缺少安全属性,攻击者可远程发起攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-11956
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-11956
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-11956 (1)
IV. Related Vulnerabilities
Same weakness: CWE-614
- CVE-2026-46550
NocoDB: Refresh Token Cookie Set Without `Secure` and `SameS - CVE-2026-53661
boruta-server sent sensitive session cookies without the Sec - CVE-2026-46398
HAX CMS Missing Secure Flag on Cookie - CVE-2025-52608
HCL iControl was affected by Missing Cookie Attributes vuln - CVE-2026-41017
Apache Airflow: JWT cookie missing Secure flag in JWTRefresh
V. Comments for CVE-2026-11956
No comments yet