{"id":"CVE-2026-38968","details":"ntopng through 6.6 is vulnerable to Predictable Session Identifier which can lead to Session Hijacking. HTTP session identifiers in src/HTTPserver.cpp use weak time-seeded pseudo-randomness during session creation. As a result, fresh authenticated logins can receive deterministic or colliding session cookies under attacker-controlled timing.","modified":"2026-07-10T04:03:03.450288812Z","published":"2026-07-02T00:00:00Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/38xxx/CVE-2026-38968.json","cna_assigner":"mitre"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/38xxx/CVE-2026-38968.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-38968"},{"type":"FIX","url":"https://github.com/ntop/ntopng/commit/14e22497233dc7d31d19dccb74b13bb073d16c2c"},{"type":"FIX","url":"https://github.com/ntop/ntopng/commit/179a346ceb6239fd36128ccca3efa8f9ea61eeb5"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ntop/ntopng","events":[{"introduced":"0"},{"fixed":"14e22497233dc7d31d19dccb74b13bb073d16c2c"},{"fixed":"179a346ceb6239fd36128ccca3efa8f9ea61eeb5"}],"database_specific":{"source":["CPE_RANGE","REFERENCES"],"cpe":"cpe:2.3:a:ntop:ntopng:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"last_affected":"6.6"}]}}],"versions":["3.0","2.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-38968.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}