CVE-2026-35095 MEDIUM

CVE-2026-35095: Session fixation in KTM System e-BOK

Vendor Ktm System
Product e-BOK
Weakness CWE-384 · Session fixation
Published June 30, 2026
Last update June 30, 2026

CVSS base score

4.8/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with a valid name is set, its value remains unchanged after successful login. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in the patch published in June 2026.

Key dates

02Disclosure timeline

June 30, 2026 CVE published