CVE Catalog

CVE-2026-38968

Low risk· EPSS 5%
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

5th percentile — higher than 5% of all known CVEs

Summary

A vulnerability in ntopng up to version 6.6 allows predictable HTTP session identifiers, leading to session hijacking. Session IDs are generated using weak time-seeded pseudo-randomness, enabling an attacker to predict or collide session cookies.

Risk Assessment

An attacker can hijack an authenticated user's session, gaining unauthorized access to the ntopng management interface and potentially sensitive network data.

Recommendation

Immediately upgrade ntopng to a version newer than 6.6 that includes a fix for secure session ID generation. If an upgrade is not possible, restrict access to the interface to trusted networks only.

Original NVD description (English source)

ntopng through 6.6 is vulnerable to Predictable Session Identifier which can lead to Session Hijacking. HTTP session identifiers in src/HTTPserver.cpp use weak time-seeded pseudo-randomness during session creation. As a result, fresh authenticated logins can receive deterministic or colliding session cookies under attacker-controlled timing.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS