Cyber Resilience

CVE-2026-40010

Critical

Published: 06 May 2026

Published
06 May 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0038 29.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-40010 is a critical-severity Session Fixation (CWE-384) vulnerability in Apache Wicket. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended…

more

to upgrade to version 10.9.0, which fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Session fixation vuln in public web framework directly enables T1190 exploitation and T1185 browser session hijacking via fixed session IDs.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-43646Same product: Apache Wicket
CVE-2024-46910Same vendor: Apache
CVE-2025-66236Same vendor: Apache
CVE-2026-41919Same vendor: Apache
CVE-2026-46586Same vendor: Apache
CVE-2026-41409Same vendor: Apache
CVE-2025-67895Same vendor: Apache
CVE-2026-34197Same vendor: Apache
CVE-2025-48913Same vendor: Apache
CVE-2025-24783Same vendor: Apache

Affected Assets

apache
wicket
8.0.0 — 8.17.0 · 9.0.0 — 9.22.0 · 10.0.0 — 10.9.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-384

Session termination after a set interval shortens the usable lifetime of a fixed session identifier, making successful exploitation of session fixation more difficult.

addresses: CWE-384

Re-authentication typically forces issuance of a new session, limiting the window for exploitation of a previously fixed session identifier.

addresses: CWE-384

Enforces proper session ID generation and binding, preventing fixation of a known session token.

References