CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
874 vulnerabilities reference this CWE, most recent first.
GHSA-R6XP-85FR-87P6
Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, the account associated with a web services token is vulnerable to being exploited and logged into, resulting in information disclosure (at a minimum) and often escalation of privileges.
{
"affected": [],
"aliases": [
"CVE-2021-40849"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-03T11:15:00Z",
"severity": "CRITICAL"
},
"details": "In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, the account associated with a web services token is vulnerable to being exploited and logged into, resulting in information disclosure (at a minimum) and often escalation of privileges.",
"id": "GHSA-r6xp-85fr-87p6",
"modified": "2022-05-24T19:19:35Z",
"published": "2022-05-24T19:19:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40849"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/mahara/+bug/1930469"
},
{
"type": "WEB",
"url": "https://mahara.org/interaction/forum/topic.php?id=8949"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R76W-3WWQ-JV6V
Vulnerability from github – Published: 2023-03-07 00:30 – Updated: 2024-10-21 19:57rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pretix"
},
"ranges": [
{
"events": [
{
"introduced": "4.17.0"
},
{
"fixed": "4.17.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "pretix"
},
"ranges": [
{
"events": [
{
"introduced": "4.16.0"
},
{
"fixed": "4.16.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "pretix"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.15.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-27891"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-14T23:01:26Z",
"nvd_published_at": "2023-03-06T23:15:00Z",
"severity": "HIGH"
},
"details": "rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1.",
"id": "GHSA-r76w-3wwq-jv6v",
"modified": "2024-10-21T19:57:52Z",
"published": "2023-03-07T00:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27891"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pretix/PYSEC-2023-42.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/thufschmitt/pretix-nix"
},
{
"type": "WEB",
"url": "https://pretix.eu/about/en/blog/20230306-release-4171"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Insufficient Session Expiration in pretix"
}
GHSA-R7CM-W9CH-CF3G
Vulnerability from github – Published: 2026-06-15 12:32 – Updated: 2026-06-15 12:32A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth (Open Authorization) access token before a user logs out, they can continue to authenticate and access sensitive data. This is because the application fails to invalidate the token on the backend, leaving it valid until its natural expiration. This can lead to unauthorized read access to Ansible resources such as inventories, playbooks, and configuration data.
{
"affected": [],
"aliases": [
"CVE-2026-44188"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-15T10:16:28Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth (Open Authorization) access token before a user logs out, they can continue to authenticate and access sensitive data. This is because the application fails to invalidate the token on the backend, leaving it valid until its natural expiration. This can lead to unauthorized read access to Ansible resources such as inventories, playbooks, and configuration data.",
"id": "GHSA-r7cm-w9ch-cf3g",
"modified": "2026-06-15T12:32:44Z",
"published": "2026-06-15T12:32:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44188"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25928"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-44188"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466764"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R8PM-G6V2-5WGX
Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-05-24 19:17The vulnerability can be described as a failure to invalidate user session upon password change. When running multiple active sessions in separate browser windows, it was observed a password or email address change could be changed without terminating the user session.
{
"affected": [],
"aliases": [
"CVE-2021-35214"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-12T16:15:00Z",
"severity": "MODERATE"
},
"details": "The vulnerability can be described as a failure to invalidate user session upon password change. When running multiple active sessions in separate browser windows, it was observed a password or email address change could be changed without terminating the user session.",
"id": "GHSA-r8pm-g6v2-5wgx",
"modified": "2022-05-24T19:17:18Z",
"published": "2022-05-24T19:17:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35214"
},
{
"type": "WEB",
"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35214"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R926-QJG2-Q5JR
Vulnerability from github – Published: 2023-12-14 06:30 – Updated: 2025-11-04 21:30An issue was discovered in SchedMD Slurm 23.02.x and 23.11.x. There is Incorrect Access Control because of a slurmd Message Integrity Bypass. An attacker can reuse root-level authentication tokens during interaction with the slurmd process. This bypasses the RPC message hashes that protect against undesired MUNGE credential reuse. The fixed versions are 23.02.7 and 23.11.1.
{
"affected": [],
"aliases": [
"CVE-2023-49935"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-14T05:15:10Z",
"severity": "HIGH"
},
"details": "An issue was discovered in SchedMD Slurm 23.02.x and 23.11.x. There is Incorrect Access Control because of a slurmd Message Integrity Bypass. An attacker can reuse root-level authentication tokens during interaction with the slurmd process. This bypasses the RPC message hashes that protect against undesired MUNGE credential reuse. The fixed versions are 23.02.7 and 23.11.1.",
"id": "GHSA-r926-qjg2-q5jr",
"modified": "2025-11-04T21:30:52Z",
"published": "2023-12-14T06:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49935"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FEDDYEE2WK7FHWBHKON3OZVQI56WSQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AYQS3LFGC4HE4WCW4L3NAA2I6FRIWMNO"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/63FEDDYEE2WK7FHWBHKON3OZVQI56WSQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AYQS3LFGC4HE4WCW4L3NAA2I6FRIWMNO"
},
{
"type": "WEB",
"url": "https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html"
},
{
"type": "WEB",
"url": "https://www.schedmd.com/security-archive.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R954-PFF6-J82V
Vulnerability from github – Published: 2025-01-02 18:30 – Updated: 2025-01-02 18:30Missing session invalidation after user deletion. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169.
{
"affected": [],
"aliases": [
"CVE-2024-56413"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-02T16:15:08Z",
"severity": "MODERATE"
},
"details": "Missing session invalidation after user deletion. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169.",
"id": "GHSA-r954-pff6-j82v",
"modified": "2025-01-02T18:30:36Z",
"published": "2025-01-02T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56413"
},
{
"type": "WEB",
"url": "https://security-advisory.acronis.com/advisories/SEC-7612"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R989-7G3J-WJHW
Vulnerability from github – Published: 2026-06-17 14:07 – Updated: 2026-06-17 14:07Summary
A stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password.
Details
passwordChange and passwordReset deleted the user's refresh tokens, but
passwordForgot only rotated token_version and revoked OAuth tokens — it did not
call UserRefreshToken.deleteAllUserToken(user.id). An attacker holding a captured
refresh cookie could still exchange it for a new access token after the victim
triggered the recovery flow.
Impact
Persistent unauthorized access after password recovery. Once a refresh token leaks, the documented "Forgot password" recovery flow did not in fact revoke the attacker's session.
Credit
This issue was reported by @bugbunny-research.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "nocodb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.301.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53928"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-17T14:07:33Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nA stolen refresh token survived a password-forgot flow and could be used to mint fresh\nJWTs even after the user reset their password.\n\n### Details\n`passwordChange` and `passwordReset` deleted the user\u0027s refresh tokens, but\n`passwordForgot` only rotated `token_version` and revoked OAuth tokens \u2014 it did not\ncall `UserRefreshToken.deleteAllUserToken(user.id)`. An attacker holding a captured\nrefresh cookie could still exchange it for a new access token after the victim\ntriggered the recovery flow.\n\n### Impact\nPersistent unauthorized access after password recovery. Once a refresh token leaks, the\ndocumented \"Forgot password\" recovery flow did not in fact revoke the attacker\u0027s\nsession.\n\n### Credit\nThis issue was reported by [@bugbunny-research](https://github.com/bugbunny-research).",
"id": "GHSA-r989-7g3j-wjhw",
"modified": "2026-06-17T14:07:33Z",
"published": "2026-06-17T14:07:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-r989-7g3j-wjhw"
},
{
"type": "PACKAGE",
"url": "https://github.com/nocodb/nocodb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "NocoDB: Refresh Tokens Persist Through Password Recovery"
}
GHSA-R9RJ-JC5H-JCWH
Vulnerability from github – Published: 2024-02-14 18:30 – Updated: 2024-02-14 18:30When BIG-IP is deployed in high availability (HA) and an iControl REST API token is updated, the change does not sync to the peer device.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
{
"affected": [],
"aliases": [
"CVE-2024-22389"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-14T17:15:12Z",
"severity": "HIGH"
},
"details": "When BIG-IP is deployed in high availability (HA) and an iControl REST API token is updated, the change does not sync to the peer device. \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated",
"id": "GHSA-r9rj-jc5h-jcwh",
"modified": "2024-02-14T18:30:25Z",
"published": "2024-02-14T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22389"
},
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K32544615"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RCM4-JV5G-WCCM
Vulnerability from github – Published: 2024-06-07 22:30 – Updated: 2024-06-07 22:30Previous to @2ca5bb1c2f11537be8f94ca6867d8d69789e744a (release 0.1.2), tokens weren't checked for validity/expiration.
This potentially caused a security issue if expired tokens were not deleted after the expiration time was past, allowing anyone to still use invalidated authentication credentials.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "zfr/zfr-oauth2-server-module"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-07T22:30:03Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Previous to @2ca5bb1c2f11537be8f94ca6867d8d69789e744a (release [0.1.2](https://github.com/zf-fr/zfr-oauth2-server-module/tree/0.1.2)), tokens weren\u0027t checked for validity/expiration.\n\nThis potentially caused a security issue if expired tokens were not deleted after the expiration time was past, allowing anyone to still use invalidated authentication credentials.",
"id": "GHSA-rcm4-jv5g-wccm",
"modified": "2024-06-07T22:30:03Z",
"published": "2024-06-07T22:30:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/zf-fr/zfr-oauth2-server-module/issues/6"
},
{
"type": "WEB",
"url": "https://github.com/zf-fr/zfr-oauth2-server-module/commit/2ca5bb1c2f11537be8f94ca6867d8d69789e744a"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zfr/zfr-oauth2-server-module/2014-04-26.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/zf-fr/zfr-oauth2-server-module"
},
{
"type": "WEB",
"url": "https://github.com/zf-fr/zfr-oauth2-server-module/tree/0.1.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "zfr authentication adapter did not verify validity of tokens"
}
GHSA-RCWJ-2HJ2-VMJJ
Vulnerability from github – Published: 2022-02-09 00:23 – Updated: 2022-02-09 00:23If NiFi Registry 0.1.0 to 0.5.0 uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi Registry.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.5.0"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.nifi.registry:nifi-registry-web-api"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.0"
},
{
"fixed": "0.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-9482"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-29T18:36:05Z",
"nvd_published_at": "2020-04-28T19:15:00Z",
"severity": "MODERATE"
},
"details": "If NiFi Registry 0.1.0 to 0.5.0 uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user\u0027s client-side token to be used for up to 12 hours after logging out to make API requests to NiFi Registry.",
"id": "GHSA-rcwj-2hj2-vmjj",
"modified": "2022-02-09T00:23:06Z",
"published": "2022-02-09T00:23:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9482"
},
{
"type": "WEB",
"url": "https://github.com/apache/nifi-registry/pull/259/commits/32f9352465e877d71ad7f85b70f2304ba620e133#diff-a72e640a2c41fe6fe8848066f6a588da2e9e76350bef287d7e145a231042c485"
},
{
"type": "WEB",
"url": "https://github.com/apache/nifi-registry/pull/277/files/9f7f1c1b1095e3facdaa986435fa94eff78627dd"
},
{
"type": "WEB",
"url": "https://github.com/apache/nifi-registry/commit/2881e29dce3a179f3e56069b82ef8cbb7bd8d85c"
},
{
"type": "WEB",
"url": "https://nifi.apache.org/registry-security.html#CVE-2020-9482"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Insufficient Session Expiration in Apache NiFi Registry"
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.