Wicket session fixation, no patch yet (CVE-2026-40010)

Patch now - CVE-2026-40010 is a critical session fixation vulnerability in Apache Wicket 8.0.0 through 8.17.0, 9.0.0, and 10.0.0 through 10.8.0 that lets an attacker hijack a victim’s authenticated session without any user interaction. The fix was released in Apache Wicket 10.9.0 - upgrade immediately.

Overview

Apache Wicket, a popular Java web application framework, is vulnerable to a session fixation attack due to the missing invocation of the changeSessionId method after session binding. Session fixation occurs when an attacker can force a user’s application session ID to a value known to the attacker. Without the change, the application reuses the same session identifier after a successful login, allowing the attacker to wait for the user to authenticate and then use the pre-set session ID to impersonate the victim.

This vulnerability is particularly dangerous because it requires no user interaction (like clicking a malicious link) and can be triggered over the network without authentication. The CVSS score of 9.1 (Critical) reflects this ease of exploitation and the severe confidentiality impact of a successful session hijack.

Impact

A successful attacker can impersonate an authenticated user on any application built with an affected Apache Wicket version. Depending on the target user’s privileges, this could lead to:

• Unauthorized access to sensitive data
• Privilege escalation if the hijacked session belongs to an administrator
• Full compromise of the web application’s security model

Remediation

The permanent fix is to upgrade to Apache Wicket 10.9.0. For users stuck on older release lines (8.x, 9.x), vendors of downstream distributions may backport the fix, but the official Apache Wicket project recommends migrating to the supported 10.x branch and applying the latest patch.

As an interim mitigation, organizations can apply web application firewall (WAF) rules to detect and block session ID injection attempts, though this is not a substitute for patching. Administrators should also consider enforcing short session timeouts and implementing multi-factor authentication (MFA) to reduce the impact of a successful hijack.

Security Insight

This session fixation bug echoes a class of authentication bypass flaws that have haunted Java web frameworks for years, notably similar to CVE-2026-34197 in Apache ActiveMQ, which was added to the CISA KEV catalog due to active exploitation. The recurrence of such “missing identity reset after authentication” flaws suggests that many Java frameworks still lack consistent, framework-level session lifecycle management. For security teams, this is a strong signal to audit their own applications for similar patterns, particularly in custom authentication filters, as the underlying programming mistake is easily copied across projects.

Further Reading

• Apache ActiveMQ CVE-2026-34197 added to CISA KEV catalo
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs