CWE-614— Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
The Secure attribute for sensitive cookies in HTTPS sessions is not set.— MITRE CWE catalog
60 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-614page 2 of 2
- CVE-2026-1697MEDIUMCVSS 6.5EG 6.52026-02-26
The Secure and SameSite attribute are missing in the GraphicalData web services and WebClient web app of PcVue in version 12.0.0 through 16.3.3 included.
- CVE-2026-22617MEDIUMCVSS 5.7EG 5.72026-04-16
Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network‑based attacker to intercept the cookie and exploit it through a man‑in‑the‑middle attack. This security issue has been fixe…
- CVE-2026-32745MEDIUMCVSS 6.3EG 6.32026-03-13
In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings
- CVE-2026-41017MEDIUMCVSS 5.9EG 5.92026-06-01
Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. nginx / Envoy / a managed load balancer that terminate…
- CVE-2026-43828MEDIUMCVSS 6.5EG 6.52026-05-25
Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.…
- CVE-2026-46398HIGHCVSS 8.8EG 8.82026-06-05
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and prior to version 26.0.0, the haxcms_refresh_token cookie is set without the Secure flag. This allows it to be transmitted over unencrypted …
- CVE-2026-46550MEDIUMCVSS 5.4EG 5.42026-05-21
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepte…
- CVE-2026-4820MEDIUMCVSS 4.3EG 4.32026-04-01
IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link…
- CVE-2026-53661HIGHCVSS 8.8EG 8.82026-06-11
Boruta is a standalone authorization server that aims to implement OAuth 2.0 and Openid Connect up to decentralized identity specifications. Prior to version 0.9.1, boruta session cookies and the identity “remember me” cookie were set …
- CVE-2026-57948MEDIUMCVSS 6.8EG 6.82026-06-29
Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cook…
Map vulnerabilities like CWE-614 to your infrastructure
EchelonGraph correlates every CVE — across CWE-614 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →