Description

CERT Polska has received a report about vulnerabilities in KTM System e-BOK software and participated in coordination of their disclosure.

The vulnerability CVE-2026-35095: KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with a valid name is set, its value remains unchanged after successful login. This behavior enables an attacker to fix a session ID for a victim and later hijack the authenticated session.

The vulnerability CVE-2026-35096: KTM System e-BOK is vulnerable to Cross‑Site Request Forgery (CSRF) in both the email-change and password-change functionalities. An attacker can craft a malicious website that, when visited by an authenticated user, automatically sends a forged POST request to the application. This allows the attacker to trigger an unauthorized email or password change on behalf of the victim without their knowledge or interaction.

The vulnerability CVE-2026-35097: KTM System e-BOK enforces a maximum password length of six numeric digits and does not permit the use of any alphabetic, special, or extended characters.

The vulnerability CVE-2026-35098: KTM System e-BOK does not implement any limit or timeout on consecutive login attempts, allowing an attacker to perform unlimited authentication requests. This lack of rate‑limiting enables efficient brute‑force attacks against user accounts. When combined with vulnerability CVE-2026-35097, where passwords are restricted to a six‑digit numeric format, this becomes a critical issue, as such passwords can be brute‑forced in a relatively short time.

These issues were fixed in the patch published in June 2026.

Credits

We thank Jacek Korta for the responsible vulnerability report.