CVE-2026-38968
Low risk· EPSS 5%Exploitation Probability (EPSS)
Low risk5th percentile — higher than 5% of all known CVEs
Summary
A vulnerability in ntopng up to version 6.6 allows predictable HTTP session identifiers, leading to session hijacking. Session IDs are generated using weak time-seeded pseudo-randomness, enabling an attacker to predict or collide session cookies.
Risk Assessment
An attacker can hijack an authenticated user's session, gaining unauthorized access to the ntopng management interface and potentially sensitive network data.
Recommendation
Immediately upgrade ntopng to a version newer than 6.6 that includes a fix for secure session ID generation. If an upgrade is not possible, restrict access to the interface to trusted networks only.
Original NVD description (English source)
ntopng through 6.6 is vulnerable to Predictable Session Identifier which can lead to Session Hijacking. HTTP session identifiers in src/HTTPserver.cpp use weak time-seeded pseudo-randomness during session creation. As a result, fresh authenticated logins can receive deterministic or colliding session cookies under attacker-controlled timing.

