Session Management Vulnerability in Nagios XI by Nagios
CVE-2024-13996

9.2CRITICAL

Key Information:

Vendor

NagiOS

Status
Xi
Vendor
CVE Published:
30 October 2025

What is CVE-2024-13996?

Nagios XI versions prior to 2024R1.1.3 contain a serious session management issue where changing a user's password does not invalidate active sessions. This oversight permits pre-existing sessions, which may be exploited by attackers, to remain active after a password update. Consequently, unauthorized users could continue to access sensitive information and perform actions on behalf of the legitimate user even after the password has been changed. It is essential for users of Nagios XI to apply the updates available in version 2024R1.1.3 or later to rectify this vulnerability.

Affected Version(s)

XI 0

References

https://www.nagios.com/products/security/#nagios-xi
vendor-advisorypatch
https://www.nagios.com/changelog/nagios-xi/
release-notespatch
https://www.vulncheck.com/advisories/nagios-xi-session-no...
third-party-advisory

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jack Eli
JSON
.
CVE-2024-13996 : Session Management Vulnerability in Nagios XI by Nagios