Access possible vuleralbility

We have been using Cloudflare Access without issue and this we see a vulnerability. Is this a Access issue?

“A web application authenticates a user without first invalidating the existing session, thereby continuing to use the session already associated with the user [2] An attacker is able to force a known session identifier on a user so that, once the user authenticates, the attacker has access to the authenticated session [3] The application or container uses predictable session identifiers. In the generic exploit of session fixation vulnerabilities, an attacker creates a new session on a web application and records the associated session identifier. The attacker then causes the victim to associate, and possibly authenticate, against the server, using that session identifier. This gives the attacker access to the user’s account through the active session. AppScan has found that after a user signs out of the application, the identifiers that were used during the session were not invalidated. If the server fails to invalidate the session identifiers, it is possible for other users to use those identifiers to impersonate that user and perform actions on his behalf”

Session Fixation is pretty high on the list of obvious ways to hack into someone’s session, and requires the victim to do something careless. I doubt it has flown under Cloudflare’s radar.

But if you want a definitive answer, you can open a ticket.