Session Forgery Vulnerability in Rejetto HFS 3.0.0 to 3.2.0
CVE-2026-61500
9.3CRITICAL
What is CVE-2026-61500?
The Rejetto HFS versions 3.0.0 to 3.2.0 contain a session forgery vulnerability due to the insecure generation of session-cookie signing keys, derived from the non-cryptographic Math.random() function. This design flaw allows unauthenticated attackers to intercept and analyze login responses. By reconstructing the random generator's internal state, the attacker can derive the signing key necessary to forge valid administrator session cookies. This could lead to unauthorized administrative access and enable remote code execution through the application's server_code configuration feature.
Affected Version(s)
hfs 3.0.0
References
CVSS V4
Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Zach Hanley (@hacks_zach) of Horizon3.ai, in collaboration with Claude and Anthropic Research
