July 1, 2026
Authentication Bypass via Session Token Reuse Leading to Account Takeover
Hello Everyone, my name is Youssef Awad, a part-time bug bounty hunter.

By youssef awad
2 min read
Recently I started hunting on a self-hosted program in which I got a medium severity bug in it.
Summary
I identified a session management vulnerability that allows complete account takeover with zero user interaction.
Story
While navigating the app, one of the first things I give a look is the session management, which I can view on the profile page after creating an account, let's call it Account 'A'.
So I started to view the API Calls that happen in the background when requesting the /Profile Endpoint.
Then I found this interesting API request through this endpoint ( /api/v1/User/me ) in which it returns the some sensitive info
GET /api/v1/User/me HTTP/2
Host: usermanagement.unknown.com
Cookie: .AspNetCore.Cookies=ValueGET /api/v1/User/me HTTP/2
Host: usermanagement.unknown.com
Cookie: .AspNetCore.Cookies=Value
So I sent that request to the repeater to break the limitations of this request and I created another account Account "B" to get the session token of it and test the session management.
Then I started to replace the Account B's cookie with Account A's cookie Reverse Test (B→A) (.AspNetCore.Cookies).
But Unfortunately It gives me 401 Unauthorized
But after I changed the HTTP method from POST to GET, I received a successful response with a 200 status code disclosing all the victim's data.
Impact
1. Full Account Takeover
An attacker can impersonate any user without needing their password or MFA, just by reusing a valid session cookie, with zero interaction from the victim.
2. Exposure of Sensitive PII
The /api/v1/User/me endpoint exposes full names, email addresses, unique user GUIDs, and entitlement country/region information.
Unfortunately, I was late.
While it's frustrating to come in second, there's actually a silver lining here, the fact that the report was marked as a duplicate.