Insecure Session Management in Pinpoint by Pinpoint APM
CVE-2026-57948

7.6HIGH

Key Information:

Vendor: Pinpoint-apm
Status: Pinpoint
Vendor: CVE Published:; 29 June 2026

🔔 Create Pinpoint-apm Vulnerability Alert

What is CVE-2026-57948?

The Pinpoint application, specifically version 3.1.0, is vulnerable due to inadequate session management practices. This vulnerability allows unauthorized access to the pinpointJwt session cookie as it lacks the security attributes 'HttpOnly' and 'Secure'. Consequently, this oversight permits JavaScript-based access to the session cookie through document.cookie, coupled with potential cleartext transmission over HTTP, which can lead to interception by attackers. Exploiting this vulnerability may enable attackers to conduct session hijacking through techniques such as stored or reflected cross-site scripting, or by employing network sniffing to exfiltrate session tokens.

Affected Version(s)

pinpoint 0 <= 3.1.0

References

https://github.com/pinpoint-apm/pinpoint/issues/13858

issue-tracking

https://www.vulncheck.com/advisories/pinpoint-insecure-se...

third-party-advisory

CVSS V4

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 26, 2026

Credit

George Chen

CVE-2026-57948 Data

JSON