FKIE_CVE-2026-28275

Vulnerability from fkie_nvd - Published: 2026-02-26 23:16 - Updated: 2026-02-27 19:07
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue.
References
security-advisories@github.comhttps://github.com/Morelitea/initiative/releases/tag/v0.32.4Product, Release Notes
security-advisories@github.comhttps://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3hExploit, Mitigation, Vendor Advisory
Impacted products
Vendor Product Version
morelitea initiative *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:morelitea:initiative:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0B50ACE8-1939-4039-8DC6-F45DB13167D5",
              "versionEndExcluding": "0.32.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue."
    },
    {
      "lang": "es",
      "value": "Initiative es una plataforma de gesti\u00f3n de proyectos autoalojada. Las versiones de la aplicaci\u00f3n anteriores a la 0.32.4 no invalidan los tokens de acceso JWT emitidos previamente despu\u00e9s de que un usuario cambia su contrase\u00f1a. Como resultado, los tokens m\u00e1s antiguos permanecen v\u00e1lidos hasta su expiraci\u00f3n y a\u00fan pueden utilizarse para acceder a puntos finales de API protegidos. Este comportamiento permite el acceso autenticado continuado incluso despu\u00e9s de que la contrase\u00f1a de la cuenta haya sido actualizada. La versi\u00f3n 0.32.4 corrige el problema."
    }
  ],
  "id": "CVE-2026-28275",
  "lastModified": "2026-02-27T19:07:07.187",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-26T23:16:37.240",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/Morelitea/initiative/releases/tag/v0.32.4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3h"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-613"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.