CVE-2026-23796
Published: 05 February 2026
Summary
CVE-2026-23796 is a critical-severity Session Fixation (CWE-384) vulnerability in Opensolution Quick.Cart. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and AC-12 (Session Termination).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires mechanisms such as regenerating new session identifiers during session establishment, directly preventing session fixation by ensuring the session ID changes after authentication.
IA-5 mandates management of authenticators including session IDs through changing, protection from disclosure, and preventing unauthorized reuse, addressing session fixation partially.
AC-12 enforces automatic session termination after inactivity or trigger events, limiting the exploitation window for hijacked fixed session IDs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Session fixation in public-facing web app directly enables remote exploitation for authenticated session hijacking (T1190).
NVD Description
Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated…
more
session. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
Deeper analysisAI
CVE-2026-23796 is a session fixation vulnerability (CWE-384) in Quick.Cart, an e-commerce software platform. The issue allows an attacker to set a user's session identifier before authentication, and this session ID remains unchanged after the user authenticates. Only version 6.7 of Quick.Cart has been tested and confirmed vulnerable, though other versions may also be affected as the vendor did not provide details on the vulnerable version range despite early notification. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.
Any unauthenticated remote attacker can exploit this vulnerability by forcing a victim to use a predetermined session ID, such as through a malicious link or resource containing the fixed session identifier. Once the victim authenticates with this session ID, the attacker can reuse it to hijack the authenticated session, gaining full access to the victim's account privileges without needing further credentials.
Advisories from CERT Polska detail the vulnerability at https://cert.pl/posts/2026/02/CVE-2026-23796, confirming the session fixation behavior in Quick.Cart version 6.7. The vendor's site at https://opensolution.org/sklep-internetowy-quick-cart.html provides general information on the software but no specific patch or mitigation guidance, as the vendor did not respond to notifications with remediation details. Security practitioners should assume broad version impact and implement session management best practices, such as regenerating session IDs post-authentication, until official fixes are available.
Details
- CWE(s)