Session Forgery Vulnerability in Rejetto HFS 3.0.0 to 3.2.0
CVE-2026-61500

9.3CRITICAL

Key Information:

Vendor

Rejetto

Status
Vendor
CVE Published:
13 July 2026

What is CVE-2026-61500?

The Rejetto HFS versions 3.0.0 to 3.2.0 contain a session forgery vulnerability due to the insecure generation of session-cookie signing keys, derived from the non-cryptographic Math.random() function. This design flaw allows unauthenticated attackers to intercept and analyze login responses. By reconstructing the random generator's internal state, the attacker can derive the signing key necessary to forge valid administrator session cookies. This could lead to unauthorized administrative access and enable remote code execution through the application's server_code configuration feature.

Affected Version(s)

hfs 3.0.0

References

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Zach Hanley (@hacks_zach) of Horizon3.ai, in collaboration with Claude and Anthropic Research
.