CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
875 vulnerabilities reference this CWE, most recent first.
GHSA-G692-X4M9-J29G
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 could allow a local user to obtain sensitive information when a previous user has logged out of the system but neglected to close their browser. IBM X-Force ID: 110303.
{
"affected": [],
"aliases": [
"CVE-2016-0234"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-30T16:29:00Z",
"severity": "LOW"
},
"details": "IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 could allow a local user to obtain sensitive information when a previous user has logged out of the system but neglected to close their browser. IBM X-Force ID: 110303.",
"id": "GHSA-g692-x4m9-j29g",
"modified": "2022-05-13T01:38:51Z",
"published": "2022-05-13T01:38:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0234"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/110303"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21997687"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G72G-R7M4-9X4G
Vulnerability from github – Published: 2026-06-05 16:43 – Updated: 2026-06-12 19:24Summary
OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out.
Details
revokeAllOAuthTokensByUser in the users service was an empty stub being called from
passwordChange, passwordForgot, and passwordReset. It now delegates to
OAuthToken.revokeAllByUser(userId), which deletes the rows and invalidates the
related auth caches. All three reset/recovery flows now consistently revoke refresh
tokens (GHSA-r989-7g3j-wjhw), OAuth tokens (this advisory), and rotate
token_version.
Impact
Persistent unauthorized access through previously issued OAuth tokens after a documented security event (password change, forgot, or reset).
Credit
This issue was reported by @bugbunny-research.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.05.0"
},
"package": {
"ecosystem": "npm",
"name": "nocodb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.05.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53926"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-05T16:43:09Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nOAuth access and refresh tokens were not revoked when the user changed, reset, or\nrecovered their password, leaving an attacker-issued OAuth grant valid after the user\nbelieved they had locked the attacker out.\n\n### Details\n`revokeAllOAuthTokensByUser` in the users service was an empty stub being called from\n`passwordChange`, `passwordForgot`, and `passwordReset`. It now delegates to\n`OAuthToken.revokeAllByUser(userId)`, which deletes the rows and invalidates the\nrelated auth caches. All three reset/recovery flows now consistently revoke refresh\ntokens (GHSA-r989-7g3j-wjhw), OAuth tokens (this advisory), and rotate\n`token_version`.\n\n### Impact\nPersistent unauthorized access through previously issued OAuth tokens after a\ndocumented security event (password change, forgot, or reset).\n\n### Credit\nThis issue was reported by [@bugbunny-research](https://github.com/bugbunny-research).",
"id": "GHSA-g72g-r7m4-9x4g",
"modified": "2026-06-12T19:24:17Z",
"published": "2026-06-05T16:43:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-g72g-r7m4-9x4g"
},
{
"type": "PACKAGE",
"url": "https://github.com/nocodb/nocodb"
},
{
"type": "WEB",
"url": "https://github.com/nocodb/nocodb/releases/tag/2026.05.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "NocoDB: OAuth Tokens Persist Through Security Events"
}
GHSA-G785-R4R2-28QV
Vulnerability from github – Published: 2023-01-05 09:30 – Updated: 2023-01-11 03:30IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 221195.
{
"affected": [],
"aliases": [
"CVE-2022-22371"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-05T07:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 221195.",
"id": "GHSA-g785-r4r2-28qv",
"modified": "2023-01-11T03:30:19Z",
"published": "2023-01-05T09:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22371"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/221195"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6852461"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G797-R4R7-WP94
Vulnerability from github – Published: 2024-11-26 21:32 – Updated: 2024-11-26 21:32An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Long-lived connections could potentially bypass authentication controls, allowing unauthorized access to streaming results.
{
"affected": [],
"aliases": [
"CVE-2024-11668"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-26T19:15:22Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Long-lived connections could potentially bypass authentication controls, allowing unauthorized access to streaming results.",
"id": "GHSA-g797-r4r7-wp94",
"modified": "2024-11-26T21:32:24Z",
"published": "2024-11-26T21:32:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11668"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/456922"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G7R3-JWHW-2WFV
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2023-08-23 17:58Microweber v1.1.18 is affected by no session expiry after log-out.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "microweber/microweber"
},
"versions": [
"1.1.18"
]
}
],
"aliases": [
"CVE-2020-23136"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-13T21:47:43Z",
"nvd_published_at": "2020-11-09T18:15:00Z",
"severity": "MODERATE"
},
"details": "Microweber v1.1.18 is affected by no session expiry after log-out.",
"id": "GHSA-g7r3-jwhw-2wfv",
"modified": "2023-08-23T17:58:02Z",
"published": "2022-05-24T17:33:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23136"
},
{
"type": "WEB",
"url": "https://gist.github.com/virendratiwari03/0b0d161e1141fdd74122abbb02fefe17"
},
{
"type": "PACKAGE",
"url": "https://github.com/microweber/microweber"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Microweber Insufficient Session Expiry"
}
GHSA-G863-PP98-8M8M
Vulnerability from github – Published: 2024-11-23 15:32 – Updated: 2024-11-26 21:32IBM Watson Query on Cloud Pak for Data 1.8, 2.0, 2.1, 2.2 and IBM Db2 Big SQL on Cloud Pak for Data 7.3, 7.4, 7.5, and 7.6 could allow an authenticated user to obtain sensitive information due to insufficient session expiration.
{
"affected": [],
"aliases": [
"CVE-2024-35160"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-23T14:15:18Z",
"severity": "MODERATE"
},
"details": "IBM Watson Query on Cloud Pak for Data 1.8, 2.0, 2.1, 2.2\u00a0and IBM Db2 Big SQL on Cloud Pak for Data 7.3, 7.4, 7.5, and 7.6\u00a0could allow an authenticated user to obtain sensitive information due to insufficient session expiration.",
"id": "GHSA-g863-pp98-8m8m",
"modified": "2024-11-26T21:32:24Z",
"published": "2024-11-23T15:32:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35160"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7168703"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7176947"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GC2C-R5JF-WHF8
Vulnerability from github – Published: 2024-09-16 15:32 – Updated: 2024-09-16 15:32IBM Aspera Shares 1.0 through 1.10.0 PL3 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system.
{
"affected": [],
"aliases": [
"CVE-2024-38315"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-16T15:15:16Z",
"severity": "MODERATE"
},
"details": "IBM Aspera Shares 1.0 through 1.10.0 PL3 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system.",
"id": "GHSA-gc2c-r5jf-whf8",
"modified": "2024-09-16T15:32:46Z",
"published": "2024-09-16T15:32:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38315"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/294742"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7168379"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-GF6W-7F3P-CMX4
Vulnerability from github – Published: 2026-04-07 15:30 – Updated: 2026-04-07 15:30An issue that could prevent session inactivity timeouts from triggering due to automatic page reloading has been resolved. This is an instance of CWE-613: Insufficient Control of Resources After Expiration or Release, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N (5.9 Medium). This issue was fixed in version 4.0.260203.0 of the runZero Platform.
{
"affected": [],
"aliases": [
"CVE-2026-5376"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-07T15:17:47Z",
"severity": "MODERATE"
},
"details": "An issue that could prevent session inactivity timeouts from triggering due to automatic page reloading has been resolved. This is an instance of CWE-613: Insufficient Control of Resources After Expiration or Release, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N (5.9 Medium). This issue was fixed in version 4.0.260203.0 of the runZero Platform.",
"id": "GHSA-gf6w-7f3p-cmx4",
"modified": "2026-04-07T15:30:52Z",
"published": "2026-04-07T15:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5376"
},
{
"type": "WEB",
"url": "https://help.runzero.com/docs/release-notes/#402602030"
},
{
"type": "WEB",
"url": "https://www.runzero.com/advisories/runzero-platform-session-timeout-failure-cve-2026-5376"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GGCF-HWXP-RC77
Vulnerability from github – Published: 2023-08-03 06:30 – Updated: 2023-08-03 16:42Insufficient Session Expiration in GitHub repository answerdev/answer prior to v1.1.0.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/answerdev/answer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-4126"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-03T16:42:38Z",
"nvd_published_at": "2023-08-03T04:15:11Z",
"severity": "MODERATE"
},
"details": "Insufficient Session Expiration in GitHub repository answerdev/answer prior to v1.1.0.",
"id": "GHSA-ggcf-hwxp-rc77",
"modified": "2023-08-03T16:42:38Z",
"published": "2023-08-03T06:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4126"
},
{
"type": "WEB",
"url": "https://github.com/answerdev/answer/commit/4f468b58d0dea51290bfbdd3e96332b0014c8730"
},
{
"type": "PACKAGE",
"url": "https://github.com/answerdev/answer"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/7f50bf1c-bcb9-46ca-8cec-211493d280c5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Answer Insufficient Session Expiration vulnerability"
}
GHSA-GGW5-PFVX-R7J9
Vulnerability from github – Published: 2024-08-13 18:31 – Updated: 2024-08-13 18:31An insufficient session expiration vulnerability [CWE-613] vulnerability in FortiOS 7.2.5 and below, 7.0 all versions, 6.4 all versions; FortiProxy 7.2 all versions, 7.0 all versions; FortiPAM 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions; FortiSwitchManager 7.2.1 and below, 7.0 all versions GUI may allow attackers to re-use websessions after GUI logout, should they manage to acquire the required credentials.
{
"affected": [],
"aliases": [
"CVE-2022-45862"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-13T16:15:07Z",
"severity": "LOW"
},
"details": "An insufficient session expiration vulnerability [CWE-613] vulnerability in FortiOS 7.2.5 and below, 7.0 all versions, 6.4 all versions; FortiProxy 7.2 all versions, 7.0 all versions; FortiPAM 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions; FortiSwitchManager 7.2.1 and below, 7.0 all versions GUI may allow attackers to re-use websessions after GUI logout, should they manage to acquire the required credentials.",
"id": "GHSA-ggw5-pfvx-r7j9",
"modified": "2024-08-13T18:31:15Z",
"published": "2024-08-13T18:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45862"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-22-445"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.