CVE-2026-32745 Overview
CVE-2026-32745 is a session hijacking vulnerability affecting JetBrains Datalore before version 2026.1. The vulnerability exists due to a missing Secure attribute in cookie settings, which could allow attackers on adjacent networks to intercept session cookies transmitted over unencrypted HTTP connections.
Critical Impact
An attacker positioned on the same network segment could intercept session cookies when a user accesses Datalore over an insecure connection, potentially leading to unauthorized account access and data exposure.
Affected Products
- JetBrains Datalore versions prior to 2026.1
Discovery Timeline
- 2026-03-13 - CVE-2026-32745 published to NVD
- 2026-03-16 - Last updated in NVD database
Technical Details for CVE-2026-32745
Vulnerability Analysis
This vulnerability is classified under CWE-614 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute). The issue stems from improper cookie configuration in JetBrains Datalore's session management system. When the Secure attribute is not set on session cookies, the browser may transmit these cookies over unencrypted HTTP connections, making them susceptible to interception by network-based attackers.
The adjacent network attack vector indicates that exploitation requires the attacker to be on the same local network segment as the victim. This could include scenarios such as shared WiFi networks, compromised network segments, or man-in-the-middle positions within a local area network. The vulnerability allows for high confidentiality impact as session tokens could be stolen, enabling unauthorized access to user accounts and sensitive data within the Datalore collaborative data science platform.
Root Cause
The root cause is the absence of the Secure flag on session cookies set by the Datalore application. Without this attribute, cookies are transmitted over both HTTP and HTTPS connections. In environments where users might access the application over HTTP (even inadvertently through redirects or mixed content), session cookies become exposed to network-level interception.
Attack Vector
The attack requires the adversary to be positioned on an adjacent network with the ability to monitor network traffic. When a legitimate user authenticates to Datalore and receives session cookies without the Secure attribute, any subsequent HTTP request from that browser will include the session cookie in cleartext. An attacker using network sniffing tools can capture these cookies and replay them to hijack the user's session.
The exploitation scenario typically involves:
- The attacker positions themselves on the same network segment as the target user
- The user authenticates to JetBrains Datalore, receiving session cookies without the Secure attribute
- The user's browser makes any HTTP request (potentially triggered by mixed content or navigation)
- The attacker intercepts the HTTP traffic containing the session cookie
- The attacker uses the captured session cookie to impersonate the authenticated user
For technical details on this vulnerability, refer to the JetBrains Security Issues Fixed advisory.
Detection Methods for CVE-2026-32745
Indicators of Compromise
- Unexpected session activity from IP addresses not associated with the legitimate user
- Multiple concurrent sessions for a single user account from different geographic locations
- Unusual data access patterns or API calls that deviate from the user's normal behavior
- Network traffic logs showing session cookies transmitted over HTTP connections
Detection Strategies
- Monitor network traffic for HTTP requests containing session cookies that should only be transmitted over HTTPS
- Implement anomaly detection for user sessions originating from multiple IP addresses simultaneously
- Review web server access logs for session reuse patterns indicative of hijacking
- Deploy network intrusion detection systems (NIDS) to identify potential cookie interception attempts on local networks
Monitoring Recommendations
- Enable detailed logging for authentication events and session management activities in Datalore
- Configure alerts for session validation failures or suspicious session reuse attempts
- Monitor for mixed content warnings in application logs that could indicate HTTP cookie exposure
- Implement real-time session monitoring to detect concurrent session anomalies
How to Mitigate CVE-2026-32745
Immediate Actions Required
- Upgrade JetBrains Datalore to version 2026.1 or later immediately
- Force logout all active sessions after applying the patch to invalidate potentially compromised session tokens
- Review access logs for signs of unauthorized session activity prior to patching
- Ensure HTTPS is enforced for all Datalore deployments with proper HSTS configuration
Patch Information
JetBrains has addressed this vulnerability in Datalore version 2026.1. Organizations should upgrade to this version or later to ensure session cookies are properly configured with the Secure attribute. For detailed patch information, refer to the JetBrains Security Issues Fixed page.
Workarounds
- Enforce HTTPS-only access to Datalore using web server or load balancer configuration to prevent HTTP connections
- Configure HTTP Strict Transport Security (HSTS) headers to ensure browsers never attempt HTTP connections
- Segment network access to Datalore to minimize exposure to adjacent network attacks
- Implement network-level encryption (VPN or similar) for users accessing Datalore from potentially untrusted networks
# Example nginx configuration to enforce HTTPS and HSTS
server {
listen 80;
server_name datalore.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name datalore.example.com;
# Enable HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Additional security headers
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
