CVE-2026-34917
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk22th percentile — higher than 22% of all known CVEs
Summary
Low-privileged session IDs generated for the web admin console could be reused in the XML-RPC API, whose authentication is normally restricted to admin users. An attacker could leverage this to gain unauthorized access and exploit API-level vulnerabilities.
Risk Assessment
The organization may be exposed to unauthorized access to sensitive API functions, potentially leading to serious security breaches.
Recommendation
It is recommended to update the system to improve the session ID generation mechanism and implement additional security measures for the API.
Original NVD description (English source)
Low‑privileged session IDs generated for the web admin console could be reused in the XML‑RPC API, whose authentication is normally restricted to admin users. An attacker could leverage this to gain unauthorised access and exploit API‑level vulnerabilities. The session context (web/API) is now recorded along with other session data, preventing session IDs from being used interchangeably.

