CVE-2026-0696 – ConnectWise PSA versions before 2026.1 fail to ... (How to Fix)

Q: What is the severity of CVE-2026-0696?

CVE-2026-0696 has a CVSS score of 6.5 (MEDIUM). ConnectWise PSA versions before 2026.1 fail to set HttpOnly attribute on certain session cookies, potentially allowing client-side scripts to access session data. This affects organizations using vulnerable ConnectWise PSA installations. Attackers could steal session cookies to impersonate legitimate users.

📋 TL;DR

ConnectWise PSA versions before 2026.1 fail to set HttpOnly attribute on certain session cookies, potentially allowing client-side scripts to access session data. This affects organizations using vulnerable ConnectWise PSA installations. Attackers could steal session cookies to impersonate legitimate users.

💻 Affected Systems

Products:

ConnectWise PSA

Versions: All versions older than 2026.1

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects web interface components that handle session cookies.

📦 What is this software?

Professional Service Automation by Connectwise

View all CVEs affecting Professional Service Automation →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Session hijacking leading to full account compromise, unauthorized access to sensitive business data, and potential privilege escalation within the PSA system.

🟠

Likely Case

Attackers stealing session cookies via XSS or other client-side attacks to gain unauthorized access to user accounts with limited privileges.

🟢

If Mitigated

Minimal impact if proper web application firewalls, content security policies, and input validation are implemented to prevent script injection.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to execute client-side scripts (typically via XSS) to access cookie values.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2026.1 or later

Vendor Advisory: https://www.connectwise.com/company/trust/security-bulletins/2026-01-15-psa-security-fix

Restart Required: Yes

Instructions:

1. Backup your ConnectWise PSA installation and database. 2. Apply the ConnectWise PSA 2026.1 update through the administrative interface. 3. Restart the ConnectWise PSA services. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Implement Content Security Policy

all

Deploy a strict Content Security Policy to prevent script injection attacks that could exploit this vulnerability.

Web Application Firewall Rules

all

Configure WAF rules to detect and block session cookie access attempts from client-side scripts.

🧯 If You Can't Patch

Implement strict input validation and output encoding to prevent XSS attacks
Deploy network segmentation to limit access to ConnectWise PSA interfaces

🔍 How to Verify

Check if Vulnerable:

Check ConnectWise PSA version in administrative interface. If version is older than 2026.1, system is vulnerable.

Check Version:

Check version in ConnectWise PSA administrative dashboard under System Information

Verify Fix Applied:

After updating to 2026.1 or later, verify session cookies now include HttpOnly attribute in browser developer tools.

📡 Detection & Monitoring

Log Indicators:

Unusual session creation patterns
Multiple failed login attempts followed by successful login from different IP

Network Indicators:

Unexpected JavaScript requests attempting to access document.cookie
Suspicious client-side script injections

SIEM Query:

source="connectwise_psa" AND (event_type="session_hijack" OR cookie_access="unauthorized")

📊 Metadata

CVE ID: CVE-2026-0696

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-1004

EPSS Score: 0.05% exploit probability (14.9th percentile)

Published: January 16, 2026

Last Updated: January 27, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0696, you might also want to check these: