CVE-2026-40010

Critical

Published: 06 May 2026

Published

06 May 2026

Modified

07 May 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0011 29.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40010 is a critical-severity Session Fixation (CWE-384) vulnerability in Apache Wicket. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-12 Session Termination

addresses: CWE-384

Session termination after a set interval shortens the usable lifetime of a fixed session identifier, making successful exploitation of session fixation more difficult.

IA-11 Re-authentication

addresses: CWE-384

Re-authentication typically forces issuance of a new session, limiting the window for exploitation of a previously fixed session identifier.

SC-23 Session Authenticity

addresses: CWE-384

Enforces proper session ID generation and binding, preventing fixation of a known session token.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

Why these techniques?

Session fixation vuln in public web framework directly enables T1190 exploitation and T1185 browser session hijacking via fixed session IDs.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended…

to upgrade to version 10.9.0, which fixes the issue.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-384

Affected Products

apache

wicket

8.0.0 — 8.17.0 · 9.0.0 — 9.22.0 · 10.0.0 — 10.9.0

CVEs Like This One

CVE-2026-43646Same product: Apache Wicket

CVE-2024-46910Same vendor: Apache

CVE-2025-22828Same vendor: Apache

CVE-2026-27446Same vendor: Apache

CVE-2024-56180Same vendor: Apache

CVE-2026-30778Same vendor: Apache

CVE-2026-22022Same vendor: Apache

CVE-2025-27821Same vendor: Apache

CVE-2026-24015Same vendor: Apache

CVE-2026-34197Same vendor: Apache

References

https://lists.apache.org/thread/61wsc0xdtfd5oozojfx7by9w3jwgkmv1
Vendor Advisory · security@apache.org
http://www.openwall.com/lists/oss-security/2026/05/06/1
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108