CVE-2026-27933
📋 TL;DR
Manyfold versions before 0.133.0 are vulnerable to session hijacking due to cookie leakage in proxy caches. This allows attackers to steal user sessions and impersonate legitimate users. All self-hosted Manyfold instances using affected versions are impacted.
💻 Affected Systems
- Manyfold
📦 What is this software?
Manyfold by Manyfold
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to the Manyfold instance, allowing them to delete or modify 3D models, access sensitive user data, and potentially pivot to other systems.
Likely Case
Unauthorized users gain access to other users' 3D model collections and can download, modify, or delete models without permission.
If Mitigated
With proper proxy cache controls and network segmentation, impact is limited to potential information disclosure of session tokens without actual session takeover.
🎯 Exploit Status
Exploitation requires access to proxy cache logs or the ability to intercept cached responses. No authentication needed to attempt exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.133.0
Vendor Advisory: https://github.com/manyfold3d/manyfold/security/advisories/GHSA-g949-hmvj-2r76
Restart Required: Yes
Instructions:
1. Backup your Manyfold data and configuration. 2. Stop the Manyfold service. 3. Update to version 0.133.0 using your package manager or by downloading from GitHub releases. 4. Restart the Manyfold service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Configure proxy cache to exclude session cookies
allConfigure your reverse proxy (nginx, Apache, etc.) to not cache responses containing session cookies
# For nginx: add 'proxy_cache_bypass $cookie_sessionid;' to location block
# For Apache: use mod_cache with CacheIgnoreHeaders Set-Cookie
Disable proxy caching for Manyfold
allTemporarily disable caching for the Manyfold application at the proxy level
# For nginx: add 'proxy_cache off;' to location block
# For Apache: disable mod_cache for Manyfold paths
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Manyfold instance from untrusted networks
- Deploy WAF rules to detect and block session hijacking attempts
🔍 How to Verify
Check if Vulnerable:
Check your Manyfold version. If it's below 0.133.0 and you're using a proxy cache, you are vulnerable.Check Version:
Check the Manyfold web interface admin panel or run 'manyfold --version' if using CLIVerify Fix Applied:
After updating to 0.133.0, verify that session cookies are marked with 'Cache-Control: private' and 'Set-Cookie' headers are not being cached by your proxy.📡 Detection & Monitoring
Log Indicators:
- Multiple successful logins from different IPs with same session ID
- Unusual access patterns to user-specific endpoints
Network Indicators:
- Requests with stolen session cookies from unexpected source IPs
- Cache hits on responses containing Set-Cookie headers
SIEM Query:
source="manyfold.log" AND ("session hijack" OR "multiple sessions" OR "unusual login location")