Moderate severityNVD Advisory· Published Apr 9, 2024· Updated Aug 2, 2024

Contao's remember-me tokens will not be cleared after a password change

CVE-2024-30262

Description

Contao is an open source content management system. Prior to version 4.13.40, when a frontend member changes their password in the personal data or the password lost module, the corresponding remember-me tokens are not removed. If someone compromises an account and is able to get a remember-me token, changing the password would not be enough to reclaim control over the account. Version 4.13.40 contains a fix for the issue. As a workaround, disable "Allow auto login" in the login module.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2024-30262: Contao fails to invalidate remember-me tokens after a password change, allowing persistent unauthorized access via a compromised token.

Vulnerability

Description

Contao, an open source content management system, prior to version 4.13.40 does not remove remember-me tokens when a frontend member changes their password via the personal data or password lost modules [1]. The root cause is that the token deletion logic was missing from the password change flow, so the old token remains valid even after the password is updated [3].

Attack

Vector

An attacker who has compromised an account and obtained a valid remember-me token can continue to use that token even after the legitimate user changes their password [1][4]. No additional authentication is required because the token remains active. The attack complexity is low, requiring only network access to the application and prior access to a token [4].

Impact

If an attacker gains a remember-me token, changing the password is insufficient to reclaim control of the account. The attacker retains persistent access, maintaining the same level of privilege as the compromised user [1]. This bypasses a standard security measure and can lead to prolonged unauthorized access to the account's data and functionality.

Mitigation

The issue is fixed in Contao version 4.13.40 [1][3]. The fix, visible in the commit at [3], adds a deleteByUsername method to the RememberMeRepository and calls it at each point where a password is changed. As a workaround, administrators can disable the "Allow auto login" feature in the login module to prevent the use of remember-me tokens entirely [1].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
contao/core-bundlePackagist	< 4.13.40	4.13.40

Affected products

ghsa-coords
pkg:composer/contao/core-bundle
Range: < 4.13.40
contao/contaov5
Range: < 4.13.40

Patches

3032baa456f6

Merge pull request from GHSA-r4r6-j2j3-7pp5

https://github.com/contao/contaoDavid GremingerApr 9, 2024via ghsa

commit

5 files changed · +22 −0

core-bundle/src/Repository/RememberMeRepository.php+12 −0 modified

@@ -119,4 +119,16 @@ public function persist(RememberMe ...$entities): void
 
         $this->_em->flush();
     }
+
+    public function deleteByUsername(string $username): void
+    {
+        $qb = $this->_em->createQueryBuilder();
+        $qb
+            ->delete($this->_entityName, 'rm')
+            ->where('rm.username = :username')
+            ->setParameter('username', $username)
+        ;
+
+        $qb->getQuery()->execute();
+    }
 }

core-bundle/src/Resources/config/services.yml+1 −0 modified

@@ -527,6 +527,7 @@ services:
 
     contao.repository.remember_me:
         class: Contao\CoreBundle\Repository\RememberMeRepository
+        public: true
         arguments:
             - '@doctrine'

core-bundle/src/Resources/contao/modules/ModuleChangePassword.php+2 −0 modified

@@ -178,6 +178,8 @@ protected function compile()
 			$objMember->password = $objNewPassword->value;
 			$objMember->save();
 
+			System::getContainer()->get('contao.repository.remember_me')->deleteByUsername($objMember->username);
+
 			// Create a new version
 			if ($GLOBALS['TL_DCA'][$strTable]['config']['enableVersioning'] ?? null)
 			{

core-bundle/src/Resources/contao/modules/ModulePassword.php+2 −0 modified

@@ -259,6 +259,8 @@ protected function setNewPassword()
 				$objMember->password = $objWidget->value;
 				$objMember->save();
 
+				System::getContainer()->get('contao.repository.remember_me')->deleteByUsername($objMember->username);
+
 				$optInToken->confirm();
 
 				// Create a new version

core-bundle/src/Resources/contao/modules/ModulePersonalData.php+5 −0 modified

@@ -303,6 +303,11 @@ protected function compile()
 						// Set the new field in the member model
 						$blnModified = true;
 						$objMember->$field = $varValue;
+
+						if ($objWidget instanceof FormPassword)
+						{
+							System::getContainer()->get('contao.repository.remember_me')->deleteByUsername($objMember->username);
+						}
 					}
 				}
 			}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-r4r6-j2j3-7pp5ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-30262ghsaADVISORY
contao.org/en/security-advisories/remember-me-tokens-are-not-cleared-after-a-password-changeghsaWEB
github.com/contao/contao/commit/3032baa456f607169ffae82a8920354adb338fe9ghsax_refsource_MISCWEB
github.com/contao/contao/security/advisories/GHSA-r4r6-j2j3-7pp5ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000