Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

874 vulnerabilities reference this CWE, most recent first.

GHSA-R6XP-85FR-87P6

Vulnerability from github – Published: 2022-05-24 19:19 – Updated: 2022-05-24 19:19
VLAI
Details

In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, the account associated with a web services token is vulnerable to being exploited and logged into, resulting in information disclosure (at a minimum) and often escalation of privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-40849"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-11-03T11:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, the account associated with a web services token is vulnerable to being exploited and logged into, resulting in information disclosure (at a minimum) and often escalation of privileges.",
  "id": "GHSA-r6xp-85fr-87p6",
  "modified": "2022-05-24T19:19:35Z",
  "published": "2022-05-24T19:19:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40849"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/mahara/+bug/1930469"
    },
    {
      "type": "WEB",
      "url": "https://mahara.org/interaction/forum/topic.php?id=8949"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-R76W-3WWQ-JV6V

Vulnerability from github – Published: 2023-03-07 00:30 – Updated: 2024-10-21 19:57
VLAI
Summary
Insufficient Session Expiration in pretix
Details

rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pretix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.17.0"
            },
            {
              "fixed": "4.17.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pretix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.16.0"
            },
            {
              "fixed": "4.16.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pretix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.15.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-27891"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-14T23:01:26Z",
    "nvd_published_at": "2023-03-06T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "rami.io pretix before 4.17.1 allows OAuth application authorization from a logged-out session. The fixed versions are 4.15.1, 4.16.1, and 4.17.1.",
  "id": "GHSA-r76w-3wwq-jv6v",
  "modified": "2024-10-21T19:57:52Z",
  "published": "2023-03-07T00:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27891"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pretix/PYSEC-2023-42.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thufschmitt/pretix-nix"
    },
    {
      "type": "WEB",
      "url": "https://pretix.eu/about/en/blog/20230306-release-4171"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Insufficient Session Expiration in pretix"
}

GHSA-R7CM-W9CH-CF3G

Vulnerability from github – Published: 2026-06-15 12:32 – Updated: 2026-06-15 12:32
VLAI
Details

A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth (Open Authorization) access token before a user logs out, they can continue to authenticate and access sensitive data. This is because the application fails to invalidate the token on the backend, leaving it valid until its natural expiration. This can lead to unauthorized read access to Ansible resources such as inventories, playbooks, and configuration data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-44188"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-15T10:16:28Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth (Open Authorization) access token before a user logs out, they can continue to authenticate and access sensitive data. This is because the application fails to invalidate the token on the backend, leaving it valid until its natural expiration. This can lead to unauthorized read access to Ansible resources such as inventories, playbooks, and configuration data.",
  "id": "GHSA-r7cm-w9ch-cf3g",
  "modified": "2026-06-15T12:32:44Z",
  "published": "2026-06-15T12:32:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44188"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:25928"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-44188"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466764"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R8PM-G6V2-5WGX

Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-05-24 19:17
VLAI
Details

The vulnerability can be described as a failure to invalidate user session upon password change. When running multiple active sessions in separate browser windows, it was observed a password or email address change could be changed without terminating the user session.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-35214"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-12T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The vulnerability can be described as a failure to invalidate user session upon password change. When running multiple active sessions in separate browser windows, it was observed a password or email address change could be changed without terminating the user session.",
  "id": "GHSA-r8pm-g6v2-5wgx",
  "modified": "2022-05-24T19:17:18Z",
  "published": "2022-05-24T19:17:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35214"
    },
    {
      "type": "WEB",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35214"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-R926-QJG2-Q5JR

Vulnerability from github – Published: 2023-12-14 06:30 – Updated: 2025-11-04 21:30
VLAI
Details

An issue was discovered in SchedMD Slurm 23.02.x and 23.11.x. There is Incorrect Access Control because of a slurmd Message Integrity Bypass. An attacker can reuse root-level authentication tokens during interaction with the slurmd process. This bypasses the RPC message hashes that protect against undesired MUNGE credential reuse. The fixed versions are 23.02.7 and 23.11.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-49935"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-14T05:15:10Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in SchedMD Slurm 23.02.x and 23.11.x. There is Incorrect Access Control because of a slurmd Message Integrity Bypass. An attacker can reuse root-level authentication tokens during interaction with the slurmd process. This bypasses the RPC message hashes that protect against undesired MUNGE credential reuse. The fixed versions are 23.02.7 and 23.11.1.",
  "id": "GHSA-r926-qjg2-q5jr",
  "modified": "2025-11-04T21:30:52Z",
  "published": "2023-12-14T06:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49935"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/63FEDDYEE2WK7FHWBHKON3OZVQI56WSQ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AYQS3LFGC4HE4WCW4L3NAA2I6FRIWMNO"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/63FEDDYEE2WK7FHWBHKON3OZVQI56WSQ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AYQS3LFGC4HE4WCW4L3NAA2I6FRIWMNO"
    },
    {
      "type": "WEB",
      "url": "https://lists.schedmd.com/pipermail/slurm-announce/2023/000103.html"
    },
    {
      "type": "WEB",
      "url": "https://www.schedmd.com/security-archive.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R954-PFF6-J82V

Vulnerability from github – Published: 2025-01-02 18:30 – Updated: 2025-01-02 18:30
VLAI
Details

Missing session invalidation after user deletion. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56413"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-02T16:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Missing session invalidation after user deletion. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169.",
  "id": "GHSA-r954-pff6-j82v",
  "modified": "2025-01-02T18:30:36Z",
  "published": "2025-01-02T18:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56413"
    },
    {
      "type": "WEB",
      "url": "https://security-advisory.acronis.com/advisories/SEC-7612"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R989-7G3J-WJHW

Vulnerability from github – Published: 2026-06-17 14:07 – Updated: 2026-06-17 14:07
VLAI
Summary
NocoDB: Refresh Tokens Persist Through Password Recovery
Details

Summary

A stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password.

Details

passwordChange and passwordReset deleted the user's refresh tokens, but passwordForgot only rotated token_version and revoked OAuth tokens — it did not call UserRefreshToken.deleteAllUserToken(user.id). An attacker holding a captured refresh cookie could still exchange it for a new access token after the victim triggered the recovery flow.

Impact

Persistent unauthorized access after password recovery. Once a refresh token leaks, the documented "Forgot password" recovery flow did not in fact revoke the attacker's session.

Credit

This issue was reported by @bugbunny-research.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "nocodb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.301.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53928"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-17T14:07:33Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nA stolen refresh token survived a password-forgot flow and could be used to mint fresh\nJWTs even after the user reset their password.\n\n### Details\n`passwordChange` and `passwordReset` deleted the user\u0027s refresh tokens, but\n`passwordForgot` only rotated `token_version` and revoked OAuth tokens \u2014 it did not\ncall `UserRefreshToken.deleteAllUserToken(user.id)`. An attacker holding a captured\nrefresh cookie could still exchange it for a new access token after the victim\ntriggered the recovery flow.\n\n### Impact\nPersistent unauthorized access after password recovery. Once a refresh token leaks, the\ndocumented \"Forgot password\" recovery flow did not in fact revoke the attacker\u0027s\nsession.\n\n### Credit\nThis issue was reported by [@bugbunny-research](https://github.com/bugbunny-research).",
  "id": "GHSA-r989-7g3j-wjhw",
  "modified": "2026-06-17T14:07:33Z",
  "published": "2026-06-17T14:07:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-r989-7g3j-wjhw"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nocodb/nocodb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "NocoDB: Refresh Tokens Persist Through Password Recovery"
}

GHSA-R9RJ-JC5H-JCWH

Vulnerability from github – Published: 2024-02-14 18:30 – Updated: 2024-02-14 18:30
VLAI
Details

When BIG-IP is deployed in high availability (HA) and an iControl REST API token is updated, the change does not sync to the peer device.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22389"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-14T17:15:12Z",
    "severity": "HIGH"
  },
  "details": "When BIG-IP is deployed in high availability (HA) and an iControl REST API token is updated, the change does not sync to the peer device.  \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated",
  "id": "GHSA-r9rj-jc5h-jcwh",
  "modified": "2024-02-14T18:30:25Z",
  "published": "2024-02-14T18:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22389"
    },
    {
      "type": "WEB",
      "url": "https://my.f5.com/manage/s/article/K32544615"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RCM4-JV5G-WCCM

Vulnerability from github – Published: 2024-06-07 22:30 – Updated: 2024-06-07 22:30
VLAI
Summary
zfr authentication adapter did not verify validity of tokens
Details

Previous to @2ca5bb1c2f11537be8f94ca6867d8d69789e744a (release 0.1.2), tokens weren't checked for validity/expiration.

This potentially caused a security issue if expired tokens were not deleted after the expiration time was past, allowing anyone to still use invalidated authentication credentials.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "zfr/zfr-oauth2-server-module"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-07T22:30:03Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Previous to @2ca5bb1c2f11537be8f94ca6867d8d69789e744a (release [0.1.2](https://github.com/zf-fr/zfr-oauth2-server-module/tree/0.1.2)), tokens weren\u0027t checked for validity/expiration.\n\nThis potentially caused a security issue if expired tokens were not deleted after the expiration time was past, allowing anyone to still use invalidated authentication credentials.",
  "id": "GHSA-rcm4-jv5g-wccm",
  "modified": "2024-06-07T22:30:03Z",
  "published": "2024-06-07T22:30:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zf-fr/zfr-oauth2-server-module/issues/6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zf-fr/zfr-oauth2-server-module/commit/2ca5bb1c2f11537be8f94ca6867d8d69789e744a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/zfr/zfr-oauth2-server-module/2014-04-26.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zf-fr/zfr-oauth2-server-module"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zf-fr/zfr-oauth2-server-module/tree/0.1.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "zfr authentication adapter did not verify validity of tokens"
}

GHSA-RCWJ-2HJ2-VMJJ

Vulnerability from github – Published: 2022-02-09 00:23 – Updated: 2022-02-09 00:23
VLAI
Summary
Insufficient Session Expiration in Apache NiFi Registry
Details

If NiFi Registry 0.1.0 to 0.5.0 uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to make API requests to NiFi Registry.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.5.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.nifi.registry:nifi-registry-web-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.1.0"
            },
            {
              "fixed": "0.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-9482"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-29T18:36:05Z",
    "nvd_published_at": "2020-04-28T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "If NiFi Registry 0.1.0 to 0.5.0 uses an authentication mechanism other than PKI, when the user clicks Log Out, NiFi Registry invalidates the authentication token on the client side but not on the server side. This permits the user\u0027s client-side token to be used for up to 12 hours after logging out to make API requests to NiFi Registry.",
  "id": "GHSA-rcwj-2hj2-vmjj",
  "modified": "2022-02-09T00:23:06Z",
  "published": "2022-02-09T00:23:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9482"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/nifi-registry/pull/259/commits/32f9352465e877d71ad7f85b70f2304ba620e133#diff-a72e640a2c41fe6fe8848066f6a588da2e9e76350bef287d7e145a231042c485"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/nifi-registry/pull/277/files/9f7f1c1b1095e3facdaa986435fa94eff78627dd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/nifi-registry/commit/2881e29dce3a179f3e56069b82ef8cbb7bd8d85c"
    },
    {
      "type": "WEB",
      "url": "https://nifi.apache.org/registry-security.html#CVE-2020-9482"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insufficient Session Expiration in Apache NiFi Registry"
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.