CVE-2026-55617: Hydro: Insufficient session expiration when recreating sessions
Hydro contains an insufficient session expiration vulnerability in its session recreation logic. When a session is recreated, including during logout or other session renewal flows, Hydro creates a new session token but does not delete the previous server-side session token.
As a result, an old sid cookie may remain valid even after the legitimate user logs out or the session is recreated. An attacker who has obtained a victim’s previous sid cookie can replay that cookie over HTTP or HTTPS and continue to access the affected Hydro instance as the victim.
The attacker does not need the victim’s username or password. Exploitation requires possession of a previously valid stale sid cookie, but no user interaction is required at exploitation time.
Successful exploitation may allow account takeover within the affected Hydro instance. For a normal user account, this may allow disclosure of private data and unauthorized modification or deletion of data available to the victim.
References
- github.com/advisories/GHSA-94jp-7776-qj6q
- github.com/hydro-dev/Hydro/commit/8450390fcce5f7dc3f11c43a14f1d76dbb949a0d
- github.com/hydro-dev/Hydro/commit/8d76be8f0b83d911bf7671962b0467e9d4b5719a
- github.com/hydro-dev/Hydro/pull/1173
- github.com/hydro-dev/Hydro/security/advisories/GHSA-94jp-7776-qj6q
- nvd.nist.gov/vuln/detail/CVE-2026-55617
Code Behaviors & Features
Detect and mitigate CVE-2026-55617 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →