Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

872 vulnerabilities reference this CWE, most recent first.

GHSA-WRMQ-9FC4-GWWJ

Vulnerability from github – Published: 2026-06-16 21:31 – Updated: 2026-06-18 13:03
VLAI
Summary
Duplicate Advisory: Pairing-scoped device session could restore revoked node token authority
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-q99w-vh6v-q3v7. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval, weakening revocation controls and maintaining unauthorized access longer than intended.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2026.5.26"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T13:03:03Z",
    "nvd_published_at": "2026-06-16T19:17:01Z",
    "severity": "HIGH"
  },
  "details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of\u00a0GHSA-q99w-vh6v-q3v7. This link is maintained to preserve external references.\n\n## Original Description\nOpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval, weakening revocation controls and maintaining unauthorized access longer than intended.",
  "id": "GHSA-wrmq-9fc4-gwwj",
  "modified": "2026-06-18T13:03:03Z",
  "published": "2026-06-16T21:31:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-q99w-vh6v-q3v7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53843"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-node-token-revocation-bypass-via-pairing-scoped-device-session"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: Pairing-scoped device session could restore revoked node token authority",
  "withdrawn": "2026-06-18T13:03:03Z"
}

GHSA-WVGJ-4785-CM7H

Vulnerability from github – Published: 2022-10-27 12:00 – Updated: 2025-05-07 21:31
VLAI
Details

In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2782"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-27T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters.",
  "id": "GHSA-wvgj-4785-cm7h",
  "modified": "2025-05-07T21:31:38Z",
  "published": "2022-10-27T12:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2782"
    },
    {
      "type": "WEB",
      "url": "https://advisories.octopus.com/post/2022/sa2022-21"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WVJJ-4G8C-4V8V

Vulnerability from github – Published: 2025-07-28 18:31 – Updated: 2025-07-28 21:31
VLAI
Details

Improper session invalidation in the component /banker/change-password.php of PHPGurukul Bank Locker Management System v1 allows attackers to execute a session hijacking attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-50491"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-28T18:15:26Z",
    "severity": "HIGH"
  },
  "details": "Improper session invalidation in the component /banker/change-password.php of PHPGurukul Bank Locker Management System v1 allows attackers to execute a session hijacking attack.",
  "id": "GHSA-wvjj-4g8c-4v8v",
  "modified": "2025-07-28T21:31:32Z",
  "published": "2025-07-28T18:31:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-50491"
    },
    {
      "type": "WEB",
      "url": "https://github.com/VasilVK/CVE/tree/main/CVE-2025-50491"
    },
    {
      "type": "WEB",
      "url": "http://bank.com"
    },
    {
      "type": "WEB",
      "url": "http://phpgurukul.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WW63-PV5X-VFC8

Vulnerability from github – Published: 2026-06-16 21:05 – Updated: 2026-06-16 21:05
VLAI
Summary
Daytona: Public sandbox previews remain accessible for up to one hour after being made private
Details

Summary

Sandbox previews that were switched from public to private could remain reachable without authentication for a short period after the change, due to a cached visibility state that was not invalidated when the sandbox's visibility changed.

Impact

When a sandbox owner changed a preview from public to private, the preview proxy could continue serving unauthenticated requests to that sandbox's ordinary preview ports for a bounded period before the change took effect. Only sandboxes that had been made public and were later set back to private were affected, and only until the proxy's cached visibility state was refreshed. Terminal, toolbox, and recording-dashboard ports were never affected, as those always require authentication. The issue did not involve cross-tenant access, privilege escalation, or remote code execution.

Patches

Fixed in v0.184.0. Sandbox visibility changes now invalidate the proxy's cached preview state immediately, so revoking a public preview takes effect on the next request.

Workarounds

Upgrade to v0.184.0 or later. There is no configuration workaround for earlier versions.

Credit

Reported through Daytona's Vulnerability Disclosure Program by mrknightnidu(nidalkhan). Linkedin: https://www.linkedin.com/in/mrknight-nidu-031340328/

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.183.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/daytonaio/daytona"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.101.0"
            },
            {
              "fixed": "0.184.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54321"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T21:05:13Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nSandbox previews that were switched from public to private could remain reachable without authentication for a short period after the change, due to a cached visibility state that was not invalidated when the sandbox\u0027s visibility changed.\n\n### Impact\nWhen a sandbox owner changed a preview from public to private, the preview proxy could continue serving unauthenticated requests to that sandbox\u0027s ordinary preview ports for a bounded period before the change took effect. Only sandboxes that had been made public and were later set back to private were affected, and only until the proxy\u0027s cached visibility state was refreshed. Terminal, toolbox, and recording-dashboard ports were never affected, as those always require authentication. The issue did not involve cross-tenant access, privilege escalation, or remote code execution.\n\n### Patches\nFixed in v0.184.0. Sandbox visibility changes now invalidate the proxy\u0027s cached preview state immediately, so revoking a public preview takes effect on the next request.\n\n### Workarounds\nUpgrade to v0.184.0 or later. There is no configuration workaround for earlier versions.\n\n### Credit\nReported through Daytona\u0027s Vulnerability Disclosure Program by **mrknightnidu(nidalkhan)**.\n**Linkedin**: https://www.linkedin.com/in/mrknight-nidu-031340328/",
  "id": "GHSA-ww63-pv5x-vfc8",
  "modified": "2026-06-16T21:05:14Z",
  "published": "2026-06-16T21:05:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/daytonaio/daytona/security/advisories/GHSA-ww63-pv5x-vfc8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/daytonaio/daytona"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Daytona: Public sandbox previews remain accessible for up to one hour after being made private"
}

GHSA-WWC3-C577-533M

Vulnerability from github – Published: 2026-04-24 00:31 – Updated: 2026-05-04 21:59
VLAI
Summary
Duplicate Advisory: OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-rfqg-qgf8-xr9x. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T21:59:59Z",
    "nvd_published_at": "2026-04-23T22:16:43Z",
    "severity": "LOW"
  },
  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-rfqg-qgf8-xr9x. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.",
  "id": "GHSA-wwc3-c577-533m",
  "modified": "2026-05-04T21:59:59Z",
  "published": "2026-04-24T00:31:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rfqg-qgf8-xr9x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41356"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/91f7a6b0fd67b703897e6e307762d471ca09333d"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-in-device-token-rotate"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation",
  "withdrawn": "2026-05-04T21:59:59Z"
}

GHSA-WWJC-H7F8-CQV5

Vulnerability from github – Published: 2025-04-24 12:31 – Updated: 2025-04-24 12:31
VLAI
Details

Due to improper JSON Web Tokens implementation an unauthenticated remote attacker can guess a valid session ID and therefore impersonate a user to gain full access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47663"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-24T10:15:16Z",
    "severity": "HIGH"
  },
  "details": "Due to improper\u00a0JSON Web Tokens implementation an unauthenticated remote attacker can guess a valid session ID and therefore impersonate a user to gain full access.",
  "id": "GHSA-wwjc-h7f8-cqv5",
  "modified": "2025-04-24T12:31:28Z",
  "published": "2025-04-24T12:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47663"
    },
    {
      "type": "WEB",
      "url": "https://www.sciencedirect.com/science/article/pii/S2351978921001657"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WWJW-R3GJ-39FQ

Vulnerability from github – Published: 2022-06-17 20:57 – Updated: 2022-06-24 19:54
VLAI
Summary
Insufficient Session Expiration in TYPO3's Admin Tool
Details

Meta

  • CVSS: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L/E:F/RL:O/RC:C (5.6)

Problem

Admin Tool sessions initiated via the TYPO3 backend user interface have not been revoked even if the corresponding user account was degraded to lower permissions or disabled completely. This way, sessions in the admin tool theoretically could have been prolonged without any limit.

Solution

Update to TYPO3 versions 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above.

Credits

Thanks to Kien Hoang who reported this issue and to TYPO3 framework merger Ralf Zimmermann and TYPO3 security member Oliver Hader who fixed the issue.

References

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.5.35"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.4.29"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.5.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.4.29"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "typo3/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.5.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31050"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-17T20:57:27Z",
    "nvd_published_at": "2022-06-14T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "\u003e ### Meta\n\u003e * CVSS: `CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L/E:F/RL:O/RC:C` (5.6)\n\n### Problem\nAdmin Tool sessions initiated via the TYPO3 backend user interface have not been revoked even if the corresponding user account was degraded to lower permissions or disabled completely. This way, sessions in the admin tool theoretically could have been prolonged without any limit.\n\n### Solution\nUpdate to TYPO3 versions 9.5.35 ELTS, 10.4.29, 11.5.11 that fix the problem described above.\n\n### Credits\nThanks to Kien Hoang who reported this issue and to TYPO3 framework merger Ralf Zimmermann and TYPO3 security member Oliver Hader who fixed the issue.\n\n### References\n* [TYPO3-CORE-SA-2022-005](https://typo3.org/security/advisory/typo3-core-sa-2022-005)",
  "id": "GHSA-wwjw-r3gj-39fq",
  "modified": "2022-06-24T19:54:44Z",
  "published": "2022-06-17T20:57:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-wwjw-r3gj-39fq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31050"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TYPO3/typo3/commit/592387972912290c135ebecc91768a67f83a3a4d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2022-31050.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/TYPO3-CMS/core"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-core-sa-2022-005"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insufficient Session Expiration in TYPO3\u0027s Admin Tool"
}

GHSA-WX2Q-8M6X-V282

Vulnerability from github – Published: 2023-04-18 21:30 – Updated: 2024-04-04 03:34
VLAI
Details

A CWE-613: Insufficient Session Expiration vulnerability exists that could allow an attacker to maintain unauthorized access over a hijacked session in PME after the legitimate user has signed out of their account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-28003"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-18T21:15:09Z",
    "severity": "HIGH"
  },
  "details": "\n\n\nA CWE-613: Insufficient Session Expiration vulnerability exists that could allow an attacker to\nmaintain unauthorized access over a hijacked session in PME after the legitimate user has\nsigned out of their account.\n\n\n\n",
  "id": "GHSA-wx2q-8m6x-v282",
  "modified": "2024-04-04T03:34:42Z",
  "published": "2023-04-18T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28003"
    },
    {
      "type": "WEB",
      "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2023-073-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2023-073-01.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WX4J-99R4-V8WG

Vulnerability from github – Published: 2022-05-24 22:29 – Updated: 2022-05-24 22:29
VLAI
Details

In “Orchard core CMS” application, versions 1.0.0-beta1-3383 to 1.0.0 are vulnerable to an improper session termination after password change. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-25966"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-10T10:15:00Z",
    "severity": "HIGH"
  },
  "details": "In \u201cOrchard core CMS\u201d application, versions 1.0.0-beta1-3383 to 1.0.0 are vulnerable to an improper session termination after password change. When a password has been changed by the user or by an administrator, a user that was already logged in, will still have access to the application even after the password was changed.",
  "id": "GHSA-wx4j-99r4-v8wg",
  "modified": "2022-05-24T22:29:04Z",
  "published": "2022-05-24T22:29:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25966"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OrchardCMS/OrchardCore/blob/v1.0.0/src/OrchardCore.Modules/OrchardCore.Users/Controllers/ResetPasswordController.cs#L123"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25966"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-WXG7-W2V3-W38G

Vulnerability from github – Published: 2026-06-18 13:52 – Updated: 2026-06-18 13:52
VLAI
Summary
ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider
Details

Summary

Two closely related token lifecycle validation vulnerabilities were discovered in ZITADEL's external JWT Identity Provider (IdP) implementation.

Specifically, within the validation pipeline:

  • Missing Expiration (exp) Enforcement: If an incoming JWT omits the exp claim entirely, the expiration block is silently skipped rather than rejected. The token is treated as valid forever.
  • Missing Issued-At (iat) Enforcement: ZITADEL enforces a 1-hour freshness window (maxAge) via the token's issue time. However, this safety check is guarded by a presence condition. If a token omits the iat claim, the freshness check is entirely bypassed, allowing arbitrarily old tokens to pass.

Per the OIDC Core 1.0 specification, identity token validation pipelines must strictly handle and enforce session expiration. ZITADEL's silent acceptance of tokens missing these temporal constraints compromises session integrity.

Impact

An attacker in possession of a token that lacks both exp and iat claims holds a permanent credential that will never expire and will always be deemed "fresh" by the system. Even without combining both flaws, the absence of an expiration constraint means a leaked token effectively turns into a skeleton key for that user session with no automatic revocation window.

Affected Versions

Systems running one of the following versions are affected:

  • 4.x: 4.0.0 through 4.15.1 (including RC versions)
  • 3.x: 3.0.0 through 3.4.11 (including RC versions)

Patches

The vulnerability has been addressed in the latest releases. ZITADEL now explicitly rejects tokens that lack an exp or iat claim.

Workarounds

The recommended solution is to update ZITADEL to a patched version.

If an immediate upgrade is not feasible, ensure at the Identity Provider level that the external IdP is rigidly configured to enforce short token lifetimes and explicitly includes both exp and iat claims in every single token payload it signs and issues.

Questions

If you have any questions or comments about this advisory, please email us at security@zitadel.com

Credits

Thanks to Android-Login-Analysis, Jason Zhou and Pedro Giglioti for reporting this vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.80.0-v2.20.0.20260615122908-fad02c6d9f45"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T13:52:21Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nTwo closely related token lifecycle validation vulnerabilities were discovered in ZITADEL\u0027s external JWT Identity Provider (IdP) implementation.\n\nSpecifically, within the validation pipeline:\n\n* **Missing Expiration (`exp`) Enforcement:** If an incoming JWT omits the `exp` claim entirely, the expiration block is silently skipped rather than rejected. The token is treated as valid forever.\n* **Missing Issued-At (`iat`) Enforcement:** ZITADEL enforces a 1-hour freshness window (`maxAge`) via the token\u0027s issue time. However, this safety check is guarded by a presence condition. If a token omits the `iat` claim, the freshness check is entirely bypassed, allowing arbitrarily old tokens to pass.\n\nPer the OIDC Core 1.0 specification, identity token validation pipelines must strictly handle and enforce session expiration. ZITADEL\u0027s silent acceptance of tokens missing these temporal constraints compromises session integrity.\n\n### Impact\n\nAn attacker in possession of a token that lacks both `exp` and `iat` claims holds a permanent credential that will never expire and will always be deemed \"fresh\" by the system. Even without combining both flaws, the absence of an expiration constraint means a leaked token effectively turns into a skeleton key for that user session with no automatic revocation window.\n\n### Affected Versions\n\nSystems running one of the following versions are affected:\n\n* **4.x**: `4.0.0` through `4.15.1` (including RC versions)\n* **3.x**: `3.0.0` through `3.4.11` (including RC versions)\n\n### Patches\n\nThe vulnerability has been addressed in the latest releases. ZITADEL now explicitly rejects tokens that lack an `exp` or `iat` claim.\n\n* **4.x**: Upgrade to $\\ge$ [4.15.2](https://github.com/zitadel/zitadel/releases/tag/v4.15.2)\n* **3.x**: Upgrade to $\\ge$ [3.4.12](https://github.com/zitadel/zitadel/releases/tag/v3.4.12)\n\n### Workarounds\n\nThe recommended solution is to update ZITADEL to a patched version.\n\nIf an immediate upgrade is not feasible, ensure at the Identity Provider level that the external IdP is rigidly configured to enforce short token lifetimes and **explicitly includes** both `exp` and `iat` claims in every single token payload it signs and issues.\n\n### Questions\n\nIf you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)\n\n### Credits\n\nThanks to [Android-Login-Analysis](https://github.com/Android-Login-Analysis), Jason Zhou and [Pedro Giglioti](https://github.com/Punisher100) for reporting this vulnerability.",
  "id": "GHSA-wxg7-w2v3-w38g",
  "modified": "2026-06-18T13:52:21Z",
  "published": "2026-06-18T13:52:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-wxg7-w2v3-w38g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/commit/fad02c6d9f4587956f830d4536c64a9a94baa7ac"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zitadel/zitadel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/releases/tag/v3.4.12"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/releases/tag/v4.15.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": " ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider"
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.