CVE-2026-3268 Overview
A vulnerability has been identified in psi-probe PSI Probe up to version 5.3.0. The affected component is an unknown function within the file psi-probe-core/src/main/java/psiprobe/controllers/sessions/RemoveSessAttributeController.java of the Session Attribute Handler component. This flaw results in improper access controls that can be exploited remotely. The exploit has been made publicly available, and despite early contact, the vendor has not responded to the disclosure.
Critical Impact
Remote attackers with low privileges can bypass access controls in the Session Attribute Handler, potentially manipulating or removing session attributes without proper authorization.
Affected Products
- PSI Probe up to version 5.3.0
- psi-probe-core Session Attribute Handler component
- Applications using the RemoveSessAttributeController.java handler
Discovery Timeline
- 2026-02-26 - CVE CVE-2026-3268 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-3268
Vulnerability Analysis
This vulnerability falls under CWE-266 (Incorrect Privilege Assignment), indicating a fundamental flaw in how access permissions are validated within the Session Attribute Handler. The RemoveSessAttributeController.java component fails to properly enforce access controls when processing requests to manipulate session attributes.
The vulnerability can be exploited over the network by authenticated users with low-level privileges. While the attack does not require user interaction, it does necessitate some level of authentication. Successful exploitation could allow an attacker to modify or remove session attributes belonging to other users or sessions, compromising both the integrity and availability of the affected application.
Root Cause
The root cause stems from improper access control implementation in the RemoveSessAttributeController class. The component does not adequately verify that the requesting user has sufficient privileges to perform operations on the targeted session attributes. This allows users with minimal privileges to perform actions that should be restricted to higher-privileged accounts or administrative users.
Attack Vector
The attack can be initiated remotely over a network connection. An attacker with low-level authentication credentials can craft malicious requests to the Session Attribute Handler endpoint. By manipulating the request parameters, the attacker can target session attributes they should not have access to, potentially disrupting application functionality or affecting other users' sessions.
The exploitation mechanism involves sending crafted HTTP requests to the vulnerable controller endpoint. The lack of proper authorization checks means the application will process these requests regardless of whether the authenticated user should have access to the target session data.
Detection Methods for CVE-2026-3268
Indicators of Compromise
- Unusual HTTP requests targeting the RemoveSessAttributeController endpoint from low-privileged accounts
- Session attribute manipulation events in application logs that don't correspond to expected user actions
- Multiple requests to session management endpoints from a single source in rapid succession
Detection Strategies
- Monitor application logs for unauthorized access attempts to session management functions
- Implement request logging for the psiprobe/controllers/sessions/ path and analyze for anomalous patterns
- Review authentication and authorization logs for privilege escalation attempts
- Deploy web application firewalls with rules to detect session manipulation attacks
Monitoring Recommendations
- Enable detailed logging for the PSI Probe application, specifically for session-related controllers
- Set up alerts for failed authorization attempts on session management endpoints
- Implement audit logging for all session attribute modifications with user attribution
- Monitor for unusual patterns in session management API usage
How to Mitigate CVE-2026-3268
Immediate Actions Required
- Restrict network access to PSI Probe instances to trusted administrative networks only
- Implement additional authentication layers before the Session Attribute Handler endpoints
- Review and tighten access controls on the PSI Probe web interface
- Consider disabling session management features if not required for operations
Patch Information
No official patch information is currently available. The vendor was contacted regarding this disclosure but did not respond. Organizations should monitor the VulDB Entry #347992 and the official PSI Probe project for security updates. Additional technical details can be found in the GitHub Issue Discussion.
Workarounds
- Implement network-level access restrictions to limit exposure of PSI Probe to trusted internal networks only
- Deploy a reverse proxy with additional authentication requirements in front of PSI Probe
- Use web application firewall rules to filter requests to the vulnerable controller endpoint
- Audit current user permissions and remove unnecessary access to PSI Probe functionality
# Example: Restrict access to PSI Probe via Apache configuration
<Location "/probe">
# Allow only from internal management network
Require ip 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
# Require additional authentication
AuthType Basic
AuthName "PSI Probe Admin Access"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
