JetBrains Datalore <=2026.0 Session Hijacking via Cookie Secure Attribute
CVE-2026-32745 Published on March 13, 2026
In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings
Vulnerability Analysis
Attack Vector:
ADJACENT_NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
LOW
Availability Impact:
NONE
Weakness Type
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
Affected Versions
JetBrains Datalore:- Before 2026.1 is affected.