CVE-2026-0696

In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix	Vendor Advisory
https://www.themissinglink.com.au/security-advisories/cve-2026-0696

Configurations

Configuration 1 (hide)

cpe:2.3:a:connectwise:professional_service_automation:*:*:*:*:*:*:*:*

History

27 Jan 2026, 13:15

Type	Values Removed	Values Added
References		() https://www.themissinglink.com.au/security-advisories/cve-2026-0696 -

23 Jan 2026, 16:45

Type	Values Removed	Values Added
References	~~() https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix -~~	() https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix - Vendor Advisory
CPE		cpe:2.3:a:connectwise:professional_service_automation::::::::
First Time		Connectwise professional Service Automation Connectwise

16 Jan 2026, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-16 14:15

Updated : 2026-01-27 13:15

NVD link : CVE-2026-0696

Mitre link : CVE-2026-0696

CVE.ORG link : CVE-2026-0696

JSON object : View

Products Affected

connectwise

professional_service_automation

CWE

CWE-1004

Sensitive Cookie Without 'HttpOnly' Flag

6.5 /10