CVE-2026-28510: Session Fallback To Request Secret
Sensitive authentication secrets (such as MFA or TOTP secrets) should not be loaded from user-controlled request parameters. Falling back from a server-side session to a request object via '??' or '?:' allows an attacker to inject their own secret when the session variable is unset or expired, bypassing authentication phases (CVE-2026-28510). Retrieve such s
PHPβgreprules fetch cve-2026-28510-session-fallback-to-request-secret --engine opengrepDescription
Sensitive authentication secrets (such as MFA or TOTP secrets) should not be loaded from user-controlled request parameters. Falling back from a server-side session to a request object via '??' or '?:' allows an attacker to inject their own secret when the session variable is unset or expired, bypassing authentication phases (CVE-2026-28510). Retrieve such s
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0