CVE-2026-3269 Overview
A denial of service vulnerability has been identified in PSI Probe, an advanced manager and monitor for Apache Tomcat. The flaw exists in the handleRequestInternal function within the ExpireSessionsController.java file of the Session Handler component. This vulnerability allows authenticated remote attackers to disrupt service availability by manipulating session handling operations in PSI Probe installations up to version 5.3.0.
Critical Impact
Remote attackers with low privileges can exploit this vulnerability to cause denial of service conditions, potentially disrupting monitoring and management capabilities for Apache Tomcat servers.
Affected Products
- PSI Probe up to version 5.3.0
- psi-probe:psi_probe component
- Apache Tomcat environments utilizing PSI Probe for monitoring
Discovery Timeline
- 2026-02-27 - CVE-2026-3269 published to NVD
- 2026-03-03 - Last updated in NVD database
Technical Details for CVE-2026-3269
Vulnerability Analysis
This vulnerability stems from improper resource shutdown or release (CWE-404) in the PSI Probe session handling mechanism. The affected function handleRequestInternal in psiprobe/controllers/sessions/ExpireSessionsController.java fails to properly manage resources during session expiration operations. When exploited, this allows attackers to exhaust system resources or cause the application to enter an unresponsive state.
The vulnerability can be triggered remotely over the network with low attack complexity. While the attacker requires low-level privileges to exploit this flaw, no user interaction is necessary for successful exploitation. The impact is limited to availability degradation, with no direct effect on data confidentiality or integrity.
Root Cause
The root cause of this vulnerability lies in the improper resource shutdown or release within the Session Handler component. Specifically, the ExpireSessionsController.java file contains the handleRequestInternal function that does not adequately handle resource cleanup during session management operations. This improper resource handling (CWE-404) can be manipulated by attackers to cause resource exhaustion, leading to denial of service conditions. The vendor was contacted about this disclosure but did not respond, leaving affected versions without an official patch.
Attack Vector
The attack can be launched remotely over the network against PSI Probe installations. An attacker with low-level authentication to the PSI Probe interface can send specially crafted requests to the session handling endpoints. By manipulating the session expiration functionality through the ExpireSessionsController, the attacker can trigger improper resource handling that leads to service degradation or unavailability.
The exploitation mechanism targets the session management interface, sending malformed or excessive requests to the handleRequestInternal function. Technical details regarding the specific exploitation technique have been published and are referenced in the GitHub Issue Discussion and VulDB entry #347993.
Detection Methods for CVE-2026-3269
Indicators of Compromise
- Unusual volume of requests targeting PSI Probe session management endpoints
- Abnormal resource consumption patterns on servers running PSI Probe
- Application logs showing repeated session expiration requests from single sources
- Service degradation or unresponsiveness in PSI Probe web interface
Detection Strategies
- Monitor HTTP request patterns to /sessions/ endpoints in PSI Probe for anomalous activity
- Implement rate limiting on session management API endpoints
- Configure web application firewall rules to detect and block suspicious session manipulation attempts
- Review application logs for repeated access to ExpireSessionsController functionality
Monitoring Recommendations
- Enable detailed logging for PSI Probe session management operations
- Set up alerts for resource exhaustion conditions on servers hosting PSI Probe
- Monitor for authentication attempts followed by rapid session management requests
- Track CPU and memory utilization anomalies that may indicate active exploitation
How to Mitigate CVE-2026-3269
Immediate Actions Required
- Restrict network access to PSI Probe interfaces to trusted administrative networks only
- Implement strong authentication controls and limit user accounts with session management privileges
- Consider temporarily disabling PSI Probe if not critical to operations until a patch is available
- Apply network-level rate limiting to session management endpoints
Patch Information
As of the last update on 2026-03-03, the vendor (psi-probe) has not released an official patch for this vulnerability. The vendor was contacted early about this disclosure but did not respond. Organizations should monitor the PSI Probe project for security updates and consider alternative mitigations until an official fix is available.
Workarounds
- Implement IP-based access restrictions to limit PSI Probe access to trusted administrator workstations
- Deploy a reverse proxy with rate limiting capabilities in front of PSI Probe installations
- Disable or restrict access to session management functionality if not operationally required
- Consider using alternative Tomcat monitoring solutions until the vulnerability is addressed
# Example: Restrict access to PSI Probe using iptables
# Allow only trusted admin network (example: 10.0.1.0/24)
iptables -A INPUT -p tcp --dport 8080 -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
# Example: Rate limiting with nginx reverse proxy
# Add to nginx location block for PSI Probe
# limit_req_zone $binary_remote_addr zone=psiprobe:10m rate=10r/s;
# limit_req zone=psiprobe burst=20 nodelay;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
