## Critical Authorization Gap in Gateway Enables Cross-User Session Hijacking
A critical security flaw has been identified in the WebSocket gateway module responsible for session reconnection handling. The vulnerability exists in `internal/gateway/conn.go`, which manages the AEP init handshake for WebSocket connections. During session reconnection, when a client provides an existing `session_id`, the code resolves the session but critically fails to verify that the authenticated user actually owns that session. While cross-bot access checks are properly enforced per SEC-007 specifications, user-level ownership validation is entirely absent from this code path, creating an exploitable authorization gap.

The issue was discovered during cycle 65's module analysis pass 5, with findings spanning `conn.go`, `handler.go`, and `api.go`. The vulnerability enables any authenticated attacker to hijack another user's active session by simply supplying the target's `session_id` during reconnection. The root cause lies in the `performInit` function, where session resolution occurs without subsequent user ownership verification. The finding has been classified as critical severity with high confidence, alongside a secondary low-severity observability issue.

Successful exploitation would allow an authenticated adversary to gain unauthorized access to another user's active session, potentially exposing sensitive data, communication history, and application state tied to that session. The vulnerability undermines the intended user isolation guarantees of the session management system. Immediate remediation requires implementing explicit user ownership validation before permitting session reconnection. Organizations relying on this gateway component should assess exposure and apply compensating controls until a patch is available.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: session hijacking, WebSocket, authorization bypass, gateway vulnerability, critical security flaw
- **Credibility**: unverified
- **Published**: 2026-05-07 17:31:41
- **ID**: 80285
- **URL**: https://whisperx.ai/en/intel/80285