Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-40010 -- CVSS 9.1 Vulnerability Briefing

CVE-2026-40010 | CVSS 9.1 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-40010 is a session fixation vulnerability in Apache Wicket, a Java-based web application framework, caused by the failure to invoke the changeSessionId method on the HTTP servlet request following session binding.

Technical Detail

The flaw exists because Apache Wicket does not call HttpServletRequest.changeSessionId() after a user authenticates and a session is bound, meaning the session identifier established before authentication remains valid after login. An attacker who can set or observe a victim's pre-authentication session token can exploit this to inherit the authenticated session without needing credentials, effectively achieving unauthorized account access. The impact is session hijacking leading to full authentication bypass for any account the victim logs into during the attack window. All versions of Apache Wicket from 8.0 onward are affected.

Exploitation Status

No known exploit code has been publicly identified at this time. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit, though the attack technique itself is well-understood and does not require sophisticated tooling once a vulnerable target is identified.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability in available intelligence.

What To Do

Organizations running Apache Wicket 8.0 or later should apply the vendor-issued patch as soon as it becomes available and treat this as a high-priority remediation given the CVSS score of 9.1 and the straightforward nature of session fixation exploitation. In the interim, teams should review application-level session management to confirm whether custom session handling code can be introduced to explicitly call changeSessionId() upon successful authentication as a compensating control. Detection efforts should focus on monitoring for session tokens that persist across the authentication boundary in application logs, which may indicate exploitation attempts. Organizations should also audit any Apache Wicket deployments exposed to untrusted networks and consider restricting access where feasible until patching is complete.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →