Listen to this Post
A vulnerability in PSI Probe up to version 5.3.0 exists within the session attribute handler, specifically in the `RemoveSessAttributeController.java` file. The flaw is that the function responsible for removing session attributes does not properly verify if the authenticated user owns the target session or has the necessary permissions. An attacker with low-privileged “probeuser” credentials can exploit this by sending a crafted HTTP POST request to the `/app/rmsattr.htm` endpoint. By specifying a target session ID (sid) and an attribute name (attr), the attacker can delete arbitrary session attributes from other users’ sessions, including those of administrators. This improper access control allows for the manipulation of session state, potentially removing security-critical flags like authorization status or MFA completion indicators .
dailycve form:
Platform: PSI Probe
Version: <=5.3.0
Vulnerability: Improper Access Control
Severity: Medium
date: 2026-02-26
Prediction: No official patch
What Undercode Say:
Analytics
The vulnerability is caused by a missing authorization check in the `handleContext` method of RemoveSessAttributeController.java. The code directly fetches the session ID and attribute name from the request parameters and proceeds to remove the attribute without verifying that the requester owns that session. This logic flaw is tracked as CWE-266 (Incorrect Privilege Assignment) .
Exploit
The following code snippet shows the vulnerable logic, which lacks any session ownership validation :
String sid = ServletRequestUtils.getStringParameter(request, "sid");
String attrName = ServletRequestUtils.getStringParameter(request, "attr");
Session session = context.getManager().findSession(sid);
if (session != null) {
session.getSession().removeAttribute(attrName); // No authorization check
}
An attacker can exploit this with a simple HTTP POST request :
POST /app/rmsattr.htm?webapp=/admin&sid=<ADMIN_SESSION_ID>&attr=isAuthorized HTTP/1.1 Host: psi-probe.example.com Authorization: Basic <ATTACKER_BASE64_CREDS>
Protection from this CVE
Until an official patch is released, implement strict network access controls to limit exposure of the PSI Probe interface to trusted internal networks only . Additionally, deploy a reverse proxy with strong authentication or use web application firewall (WAF) rules to filter requests to the `/app/rmsattr.htm` endpoint . The code should be patched to validate session ownership before allowing attribute removal, as demonstrated in the recommended fix :
boolean isOwnSession = currentUserSession.getId().equals(sessionId);
boolean isAdmin = request.isUserInRole("manager-gui") || request.isUserInRole("admin-gui");
if (!isOwnSession && !isAdmin) {
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return null;
}
Impact
A successful exploit allows a low-privileged attacker to remove arbitrary session attributes from other users’ sessions . This can lead to privilege escalation by deleting authorization flags, bypassing multi-factor authentication by removing MFA completion status, or manipulating role-based access controls. The attack undermines session integrity and can compromise the security of the monitored Tomcat applications .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

