CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
876 vulnerabilities reference this CWE, most recent first.
GHSA-77W8-QV8M-386H
Vulnerability from github – Published: 2022-05-17 04:31 – Updated: 2024-11-26 18:33OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access via a domain-scoped token for that domain.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "keystone"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.0a0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-5253"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-14T21:16:52Z",
"nvd_published_at": "2014-08-25T14:55:00Z",
"severity": "HIGH"
},
"details": "OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access via a domain-scoped token for that domain.",
"id": "GHSA-77w8-qv8m-386h",
"modified": "2024-11-26T18:33:23Z",
"published": "2022-05-17T04:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-5253"
},
{
"type": "WEB",
"url": "https://github.com/openstack/keystone/commit/317f9d34b4da20c21edd5b851889298b67c843e1"
},
{
"type": "WEB",
"url": "https://github.com/openstack/keystone/commit/3e035ebb726167aef43c4a865c7e7f7d3b0978fb"
},
{
"type": "WEB",
"url": "https://github.com/openstack/keystone/commit/c4447f16da036fe878382ce4e1b05b84bdcc4d4e"
},
{
"type": "WEB",
"url": "https://github.com/openstack/keystone/commit/cccc3f3239c68479de0f6a41bd64badf2a9ec9e7"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/keystone/+bug/1349597"
},
{
"type": "PACKAGE",
"url": "https://github.com/openstack/keystone"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2014-109.yaml"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1121.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1122.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2014/08/15/6"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2324-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenStack Keystone Domain-scoped tokens don\u0027t get revoked"
}
GHSA-79GG-W7M7-C3GC
Vulnerability from github – Published: 2025-04-24 00:31 – Updated: 2025-04-24 00:31IBM InfoSphere Information 11.7 Server does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.
{
"affected": [],
"aliases": [
"CVE-2024-22351"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-23T23:15:15Z",
"severity": "MODERATE"
},
"details": "IBM InfoSphere Information 11.7 Server does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.",
"id": "GHSA-79gg-w7m7-c3gc",
"modified": "2025-04-24T00:31:19Z",
"published": "2025-04-24T00:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22351"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7229921"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-79HX-G43V-XFMR
Vulnerability from github – Published: 2023-03-21 06:30 – Updated: 2023-03-23 19:01Insufficient Session Expiration in GitHub repository answerdev/answer prior to 1.0.6.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/answerdev/answer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-1543"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-21T22:31:39Z",
"nvd_published_at": "2023-03-21T05:15:00Z",
"severity": "HIGH"
},
"details": "Insufficient Session Expiration in GitHub repository answerdev/answer prior to 1.0.6.",
"id": "GHSA-79hx-g43v-xfmr",
"modified": "2023-03-23T19:01:37Z",
"published": "2023-03-21T06:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1543"
},
{
"type": "WEB",
"url": "https://github.com/answerdev/answer/commit/cd742b75605c99776f32d271c0a60e0f468e181c"
},
{
"type": "PACKAGE",
"url": "https://github.com/answerdev/answer"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/f82388d6-dfc3-4fbc-bea6-eb40cf5b2683"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Answer vulnerable to Insufficient Session Expiration"
}
GHSA-79M4-GX9C-J55F
Vulnerability from github – Published: 2026-06-26 00:32 – Updated: 2026-06-26 00:32The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
{
"affected": [],
"aliases": [
"CVE-2026-54479"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T22:17:02Z",
"severity": "MODERATE"
},
"details": "The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.",
"id": "GHSA-79m4-gx9c-j55f",
"modified": "2026-06-26T00:32:06Z",
"published": "2026-06-26T00:32:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54479"
},
{
"type": "WEB",
"url": "https://evokesystems.com/contact-us"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-176-02.json"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-7F2F-4PM3-CV4P
Vulnerability from github – Published: 2021-12-09 00:00 – Updated: 2021-12-14 00:01Mahavitaran android application 7.50 and prior are affected by account takeover due to improper OTP validation, allows remote attackers to control a users account.
{
"affected": [],
"aliases": [
"CVE-2020-27416"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-08T19:15:00Z",
"severity": "CRITICAL"
},
"details": "Mahavitaran android application 7.50 and prior are affected by account takeover due to improper OTP validation, allows remote attackers to control a users account.",
"id": "GHSA-7f2f-4pm3-cv4p",
"modified": "2021-12-14T00:01:31Z",
"published": "2021-12-09T00:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27416"
},
{
"type": "WEB",
"url": "https://cvewalkthrough.com/cve-2021-41716-mahavitaran-android-application-account-take-over-via-otp-fixation"
},
{
"type": "WEB",
"url": "https://play.google.com/store/apps/details?id=com.msedcl.app\u0026hl=en\u0026gl=US"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-7FMW-85QM-H22P
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2023-07-26 19:15It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-parent"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-12159"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-26T19:15:53Z",
"nvd_published_at": "2017-10-26T17:29:00Z",
"severity": "HIGH"
},
"details": "It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.",
"id": "GHSA-7fmw-85qm-h22p",
"modified": "2023-07-26T19:15:53Z",
"published": "2022-05-13T01:38:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12159"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2904"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2905"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2906"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1484111"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20210124113906/http://www.securityfocus.com/bid/101601"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak CSRF Vulnerability"
}
GHSA-7FXH-QXMW-7XH7
Vulnerability from github – Published: 2025-06-01 12:30 – Updated: 2025-06-01 12:30IBM Planning Analytics Local 2.0 and 2.1 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system.
{
"affected": [],
"aliases": [
"CVE-2025-33005"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-01T12:15:25Z",
"severity": "MODERATE"
},
"details": "IBM Planning Analytics Local 2.0 and 2.1 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system.",
"id": "GHSA-7fxh-qxmw-7xh7",
"modified": "2025-06-01T12:30:25Z",
"published": "2025-06-01T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33005"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7235182"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-7GGW-H8PP-R95R
Vulnerability from github – Published: 2021-02-10 02:32 – Updated: 2023-09-07 17:47Impact
When logging out, the session ID was not invalidated. This is not a problem while the user is logged out, but as soon as the user logs back in the old session ID would be valid again; which means that anyone that gained access to the old session cookie would be able to act as the logged in user. This is not a major concern for the majority of cases, since it requires a malicious party gaining access to the session cookie in the first place, but nevertheless has been fixed.
Patches
Issue has been patched in Build 472 (v1.0.472) and v1.1.2.
Workarounds
Apply https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024 to your installation manually if unable to upgrade to Build 472 or v1.1.2.
References
- Reported by Anisio (Brazilian Information Security Analyst)
- http://cve.circl.lu/cve/CVE-2021-3311
For more information
If you have any questions or comments about this advisory: * Email us at hello@octobercms.com
Threat assessment:

{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "october/rain"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.472"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "october/rain"
},
"ranges": [
{
"events": [
{
"introduced": "1.1.0"
},
{
"fixed": "1.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3311"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2021-02-10T02:30:45Z",
"nvd_published_at": "2021-02-05T14:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\nWhen logging out, the session ID was not invalidated. This is not a problem while the user is logged out, but as soon as the user logs back in the old session ID would be valid again; which means that anyone that gained access to the old session cookie would be able to act as the logged in user. This is not a major concern for the majority of cases, since it requires a malicious party gaining access to the session cookie in the first place, but nevertheless has been fixed.\n\n### Patches\nIssue has been patched in Build 472 (v1.0.472) and v1.1.2.\n\n### Workarounds\nApply https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024 to your installation manually if unable to upgrade to Build 472 or v1.1.2.\n\n### References\n- Reported by Anisio (Brazilian Information Security Analyst)\n- http://cve.circl.lu/cve/CVE-2021-3311\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n\n### Threat assessment:\n\u003cimg width=\"699\" alt=\"Screen Shot 2021-02-07 at 11 50 35 PM\" src=\"https://user-images.githubusercontent.com/7253840/107180881-51eaf000-699f-11eb-8828-333128faf2a6.png\"\u003e",
"id": "GHSA-7ggw-h8pp-r95r",
"modified": "2023-09-07T17:47:26Z",
"published": "2021-02-10T02:32:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/octobercms/october/security/advisories/GHSA-7ggw-h8pp-r95r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3311"
},
{
"type": "WEB",
"url": "https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024"
},
{
"type": "WEB",
"url": "https://anisiosantos.me/october-cms-token-reactivation"
},
{
"type": "WEB",
"url": "https://octobercms.com/forum/chan/announcements"
},
{
"type": "WEB",
"url": "https://packagist.org/packages/october/rain"
},
{
"type": "WEB",
"url": "http://cve.circl.lu/cve/CVE-2021-3311"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "October CMS Session ID not invalidated after logout"
}
GHSA-7HGR-XVRR-XPW3
Vulnerability from github – Published: 2026-05-08 17:39 – Updated: 2026-05-08 17:39Description
When a user changes their password, either through the authenticated password change endpoint or a password reset ticket, the ChangePassword workflow correctly hashes and persists the new password via UpdateUserChangePassword. However, it does not revoke existing sessions. The auth.refresh_tokens and auth.oauth2_refresh_tokens tables are left untouched, meaning all previously issued refresh tokens remain valid and can continue generating new access tokens indefinitely.
This vulnerability affects all password change paths (handled in change_user_password.go), since they share the same underlying workflow:
- Authenticated password change via the Nhost dashboard or client SDK
- Ticket-based password reset (magic links / recovery flows)
- OAuth2/OIDC sessions managed via
auth.oauth2_refresh_tokens
Attack Scenario
- An attacker steals a victim's refresh token via XSS or a compromised device.
- The victim changes their password, expecting it to terminate all active sessions.
- The server updates
password_hashbut performs no session cleanup, the stolen token remains fully functional.
Impact
The attacker retains persistent access even after the victim's password change. This is especially severe in credential theft scenarios, where the victim's only recovery action does nothing against an active session. Depending on configured TTL, the attacker's window could be days or weeks.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/nhost/nhost"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260430132514-52c70664a7e9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-08T17:39:48Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "## Description\n\nWhen a user changes their password, either through the authenticated password change endpoint or a password reset ticket, the [`ChangePassword`](https://github.com/nhost/nhost/blob/main/services/auth/go/controller/workflows.go#L731-L759) workflow correctly hashes and persists the new password via [`UpdateUserChangePassword`](https://github.com/nhost/nhost/blob/main/services/auth/go/sql/query.sql#L314-L318). However, it does not revoke existing sessions. The `auth.refresh_tokens` and `auth.oauth2_refresh_tokens` tables are left untouched, meaning all previously issued refresh tokens remain valid and can continue generating new access tokens indefinitely.\n\nThis vulnerability affects all password change paths (handled in [`change_user_password.go`](https://github.com/nhost/nhost/blob/main/services/auth/go/controller/change_user_password.go)), since they share the same underlying workflow:\n\n- Authenticated password change via the Nhost dashboard or client SDK\n- Ticket-based password reset (magic links / recovery flows)\n- OAuth2/OIDC sessions managed via `auth.oauth2_refresh_tokens`\n\n## Attack Scenario\n\n1. An attacker steals a victim\u0027s refresh token via XSS or a compromised device.\n2. The victim changes their password, expecting it to terminate all active sessions.\n3. The server updates `password_hash` but performs no session cleanup, the stolen token remains fully functional.\n\n## Impact\n\nThe attacker retains persistent access even after the victim\u0027s password change. This is especially severe in credential theft scenarios, where the victim\u0027s only recovery action does nothing against an active session. Depending on configured TTL, the attacker\u0027s window could be days or weeks.",
"id": "GHSA-7hgr-xvrr-xpw3",
"modified": "2026-05-08T17:39:48Z",
"published": "2026-05-08T17:39:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nhost/nhost/security/advisories/GHSA-7hgr-xvrr-xpw3"
},
{
"type": "WEB",
"url": "https://github.com/nhost/nhost/commit/52c70664a7e92031e592b873471939b10ca18079"
},
{
"type": "PACKAGE",
"url": "https://github.com/nhost/nhost"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "nhost has Session Persistence After Password Change"
}
GHSA-7HW8-6Q6R-4276
Vulnerability from github – Published: 2026-06-19 21:17 – Updated: 2026-06-19 21:17Summary
The logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in.
Details
Not in auto login mode. Hosted on localhost. access_token_lf remains present in both Local Storage and Cookies. refresh_token_lf remains present in Cookies.
Root cause: the /logout endpoint deleted the authentication cookies without matching the original httponly/samesite/secure/domain parameters, so the browser kept them; additionally the frontend did not clear the auth cookies on logout.
LANGFLOW_AUTO_LOGIN: "False"
LANGFLOW_SUPERUSER: <set>
LANGFLOW_SUPERUSER_PASSWORD: <set>
LANGFLOW_SECRET_KEY: <set>
LANGFLOW_NEW_USER_IS_ACTIVE: "False"
LANGFLOW_ENABLE_SUPERUSER_CLI: "False"
PoC
Click Logout. Hit refresh to return to previous screen.
Impact
Users on shared computers may falsely believe they have terminated their session.
Patches
Fixed in 1.7.0 (PRs #10527 and #10528). The logout endpoint now deletes the auth cookies using the same parameters they were created with, and the frontend clears the auth cookies on logout. Upgrade to 1.7.0 or later.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 1.7.0"
},
"package": {
"ecosystem": "PyPI",
"name": "langflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.7.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55423"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T21:17:01Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nThe logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in.\n\n### Details\nNot in auto login mode. Hosted on localhost. `access_token_lf` remains present in both Local Storage and Cookies. `refresh_token_lf` remains present in Cookies.\n\n**Root cause:** the `/logout` endpoint deleted the authentication cookies without matching the original `httponly`/`samesite`/`secure`/`domain` parameters, so the browser kept them; additionally the frontend did not clear the auth cookies on logout.\n\n```\nLANGFLOW_AUTO_LOGIN: \"False\"\nLANGFLOW_SUPERUSER: \u003cset\u003e\nLANGFLOW_SUPERUSER_PASSWORD: \u003cset\u003e\nLANGFLOW_SECRET_KEY: \u003cset\u003e\nLANGFLOW_NEW_USER_IS_ACTIVE: \"False\"\nLANGFLOW_ENABLE_SUPERUSER_CLI: \"False\"\n```\n\n### PoC\nClick Logout. Hit refresh to return to previous screen.\n\n### Impact\nUsers on shared computers may falsely believe they have terminated their session.\n\n### Patches\nFixed in **1.7.0** (PRs #10527 and #10528). The logout endpoint now deletes the auth cookies using the same parameters they were created with, and the frontend clears the auth cookies on logout. Upgrade to **1.7.0 or later**.",
"id": "GHSA-7hw8-6q6r-4276",
"modified": "2026-06-19T21:17:01Z",
"published": "2026-06-19T21:17:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-7hw8-6q6r-4276"
},
{
"type": "WEB",
"url": "https://github.com/langflow-ai/langflow/pull/10527"
},
{
"type": "WEB",
"url": "https://github.com/langflow-ai/langflow/pull/10528"
},
{
"type": "PACKAGE",
"url": "https://github.com/langflow-ai/langflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Langflow: Logout button does not clear session"
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.