Apache Zeppelin before 0.7.3 was vulnerable to session fixation which allowed an malicious user to hijack a valid user session. Issue was reported by "stone lone".
apache zeppelin