Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

875 vulnerabilities reference this CWE, most recent first.

GHSA-G692-X4M9-J29G

Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38
VLAI
Details

IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 could allow a local user to obtain sensitive information when a previous user has logged out of the system but neglected to close their browser. IBM X-Force ID: 110303.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-0234"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-30T16:29:00Z",
    "severity": "LOW"
  },
  "details": "IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 could allow a local user to obtain sensitive information when a previous user has logged out of the system but neglected to close their browser. IBM X-Force ID: 110303.",
  "id": "GHSA-g692-x4m9-j29g",
  "modified": "2022-05-13T01:38:51Z",
  "published": "2022-05-13T01:38:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0234"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/110303"
    },
    {
      "type": "WEB",
      "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21997687"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G72G-R7M4-9X4G

Vulnerability from github – Published: 2026-06-05 16:43 – Updated: 2026-06-12 19:24
VLAI
Summary
NocoDB: OAuth Tokens Persist Through Security Events
Details

Summary

OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out.

Details

revokeAllOAuthTokensByUser in the users service was an empty stub being called from passwordChange, passwordForgot, and passwordReset. It now delegates to OAuthToken.revokeAllByUser(userId), which deletes the rows and invalidates the related auth caches. All three reset/recovery flows now consistently revoke refresh tokens (GHSA-r989-7g3j-wjhw), OAuth tokens (this advisory), and rotate token_version.

Impact

Persistent unauthorized access through previously issued OAuth tokens after a documented security event (password change, forgot, or reset).

Credit

This issue was reported by @bugbunny-research.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.05.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "nocodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.05.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53926"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-05T16:43:09Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nOAuth access and refresh tokens were not revoked when the user changed, reset, or\nrecovered their password, leaving an attacker-issued OAuth grant valid after the user\nbelieved they had locked the attacker out.\n\n### Details\n`revokeAllOAuthTokensByUser` in the users service was an empty stub being called from\n`passwordChange`, `passwordForgot`, and `passwordReset`. It now delegates to\n`OAuthToken.revokeAllByUser(userId)`, which deletes the rows and invalidates the\nrelated auth caches. All three reset/recovery flows now consistently revoke refresh\ntokens (GHSA-r989-7g3j-wjhw), OAuth tokens (this advisory), and rotate\n`token_version`.\n\n### Impact\nPersistent unauthorized access through previously issued OAuth tokens after a\ndocumented security event (password change, forgot, or reset).\n\n### Credit\nThis issue was reported by [@bugbunny-research](https://github.com/bugbunny-research).",
  "id": "GHSA-g72g-r7m4-9x4g",
  "modified": "2026-06-12T19:24:17Z",
  "published": "2026-06-05T16:43:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-g72g-r7m4-9x4g"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocodb/nocodb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/releases/tag/2026.05.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "NocoDB: OAuth Tokens Persist Through Security Events"
}

GHSA-G785-R4R2-28QV

Vulnerability from github – Published: 2023-01-05 09:30 – Updated: 2023-01-11 03:30
VLAI
Details

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 221195.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-22371"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-05T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 221195.",
  "id": "GHSA-g785-r4r2-28qv",
  "modified": "2023-01-11T03:30:19Z",
  "published": "2023-01-05T09:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22371"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/221195"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6852461"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G797-R4R7-WP94

Vulnerability from github – Published: 2024-11-26 21:32 – Updated: 2024-11-26 21:32
VLAI
Details

An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Long-lived connections could potentially bypass authentication controls, allowing unauthorized access to streaming results.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11668"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-26T19:15:22Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Long-lived connections could potentially bypass authentication controls, allowing unauthorized access to streaming results.",
  "id": "GHSA-g797-r4r7-wp94",
  "modified": "2024-11-26T21:32:24Z",
  "published": "2024-11-26T21:32:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11668"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/456922"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G7R3-JWHW-2WFV

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2023-08-23 17:58
VLAI
Summary
Microweber Insufficient Session Expiry
Details

Microweber v1.1.18 is affected by no session expiry after log-out.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "microweber/microweber"
      },
      "versions": [
        "1.1.18"
      ]
    }
  ],
  "aliases": [
    "CVE-2020-23136"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-13T21:47:43Z",
    "nvd_published_at": "2020-11-09T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Microweber v1.1.18 is affected by no session expiry after log-out.",
  "id": "GHSA-g7r3-jwhw-2wfv",
  "modified": "2023-08-23T17:58:02Z",
  "published": "2022-05-24T17:33:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23136"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/virendratiwari03/0b0d161e1141fdd74122abbb02fefe17"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/microweber/microweber"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Microweber Insufficient Session Expiry"
}

GHSA-G863-PP98-8M8M

Vulnerability from github – Published: 2024-11-23 15:32 – Updated: 2024-11-26 21:32
VLAI
Details

IBM Watson Query on Cloud Pak for Data 1.8, 2.0, 2.1, 2.2 and IBM Db2 Big SQL on Cloud Pak for Data 7.3, 7.4, 7.5, and 7.6 could allow an authenticated user to obtain sensitive information due to insufficient session expiration.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-35160"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-23T14:15:18Z",
    "severity": "MODERATE"
  },
  "details": "IBM Watson Query on Cloud Pak for Data 1.8, 2.0, 2.1, 2.2\u00a0and IBM Db2 Big SQL on Cloud Pak for Data 7.3, 7.4, 7.5, and 7.6\u00a0could allow an authenticated user to obtain sensitive information due to insufficient session expiration.",
  "id": "GHSA-g863-pp98-8m8m",
  "modified": "2024-11-26T21:32:24Z",
  "published": "2024-11-23T15:32:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35160"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7168703"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7176947"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GC2C-R5JF-WHF8

Vulnerability from github – Published: 2024-09-16 15:32 – Updated: 2024-09-16 15:32
VLAI
Details

IBM Aspera Shares 1.0 through 1.10.0 PL3 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38315"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-16T15:15:16Z",
    "severity": "MODERATE"
  },
  "details": "IBM Aspera Shares 1.0 through 1.10.0 PL3 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system.",
  "id": "GHSA-gc2c-r5jf-whf8",
  "modified": "2024-09-16T15:32:46Z",
  "published": "2024-09-16T15:32:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38315"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/294742"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7168379"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GF6W-7F3P-CMX4

Vulnerability from github – Published: 2026-04-07 15:30 – Updated: 2026-04-07 15:30
VLAI
Details

An issue that could prevent session inactivity timeouts from triggering due to automatic page reloading has been resolved. This is an instance of CWE-613: Insufficient Control of Resources After Expiration or Release, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N (5.9 Medium). This issue was fixed in version 4.0.260203.0 of the runZero Platform.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5376"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-07T15:17:47Z",
    "severity": "MODERATE"
  },
  "details": "An issue that could prevent session inactivity timeouts from triggering due to automatic page reloading has been resolved. This is an instance of CWE-613: Insufficient Control of Resources After Expiration or Release, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N (5.9 Medium). This issue was fixed in version 4.0.260203.0 of the runZero Platform.",
  "id": "GHSA-gf6w-7f3p-cmx4",
  "modified": "2026-04-07T15:30:52Z",
  "published": "2026-04-07T15:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5376"
    },
    {
      "type": "WEB",
      "url": "https://help.runzero.com/docs/release-notes/#402602030"
    },
    {
      "type": "WEB",
      "url": "https://www.runzero.com/advisories/runzero-platform-session-timeout-failure-cve-2026-5376"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GGCF-HWXP-RC77

Vulnerability from github – Published: 2023-08-03 06:30 – Updated: 2023-08-03 16:42
VLAI
Summary
Answer Insufficient Session Expiration vulnerability
Details

Insufficient Session Expiration in GitHub repository answerdev/answer prior to v1.1.0.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/answerdev/answer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-4126"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-03T16:42:38Z",
    "nvd_published_at": "2023-08-03T04:15:11Z",
    "severity": "MODERATE"
  },
  "details": "Insufficient Session Expiration in GitHub repository answerdev/answer prior to v1.1.0.",
  "id": "GHSA-ggcf-hwxp-rc77",
  "modified": "2023-08-03T16:42:38Z",
  "published": "2023-08-03T06:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4126"
    },
    {
      "type": "WEB",
      "url": "https://github.com/answerdev/answer/commit/4f468b58d0dea51290bfbdd3e96332b0014c8730"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/answerdev/answer"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/7f50bf1c-bcb9-46ca-8cec-211493d280c5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Answer Insufficient Session Expiration vulnerability"
}

GHSA-GGW5-PFVX-R7J9

Vulnerability from github – Published: 2024-08-13 18:31 – Updated: 2024-08-13 18:31
VLAI
Details

An insufficient session expiration vulnerability [CWE-613] vulnerability in FortiOS 7.2.5 and below, 7.0 all versions, 6.4 all versions; FortiProxy 7.2 all versions, 7.0 all versions; FortiPAM 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions; FortiSwitchManager 7.2.1 and below, 7.0 all versions GUI may allow attackers to re-use websessions after GUI logout, should they manage to acquire the required credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-45862"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-13T16:15:07Z",
    "severity": "LOW"
  },
  "details": "An insufficient session expiration vulnerability [CWE-613] vulnerability in FortiOS 7.2.5 and below, 7.0 all versions, 6.4 all versions; FortiProxy 7.2 all versions, 7.0 all versions; FortiPAM 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions; FortiSwitchManager 7.2.1 and below, 7.0 all versions GUI may allow attackers to re-use websessions after GUI logout, should they manage to acquire the required credentials.",
  "id": "GHSA-ggw5-pfvx-r7j9",
  "modified": "2024-08-13T18:31:15Z",
  "published": "2024-08-13T18:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45862"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/psirt/FG-IR-22-445"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.