CVE-2026-35095
MediumCVSS 4.8Summary
The vulnerability in KTM e-BOK allows an attacker to set the session identifier before authentication. If a cookie with a valid name is set, its value remains unchanged after successful login, enabling session hijacking.
Risk Assessment
An attacker can hijack an authenticated user's session, gaining unauthorized access to their account and data in the e-BOK system.
Recommendation
Apply the patch published in June 2026 immediately to fix this vulnerability.
Original NVD description (English source)
KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with a valid name is set, its value remains unchanged after successful login. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in the patch published in June 2026.

