CWE-324
Use of a Key Past its Expiration Date
Description
The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-43585 | Hig | 0.46 | 8.1 | 0.01 | May 6, 2026 | OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to re-resolve authentication per-request, enabling attackers to use rotated-out bearer… | ||
| CVE-2023-5342 | Med | 0.27 | 4.1 | 0.00 | Aug 14, 2025 | The Fedora Secure Boot CA certificate shipped with shim in Fedora was expired which could lead to old or invalid signed boot components being loaded. | ||
| CVE-2026-52809 | med | 0.19 | — | 0.00 | Jun 23, 2026 | ## Summary Password-reset tokens are generated using `conf.Auth.ActivateCodeLives` (the account-activation lifetime), not `conf.Auth.ResetPasswordCodeLives`. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification… | ||
| CVE-2024-7318 | 0.00 | — | 0.00 | Sep 9, 2024 | A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1… | |||
| CVE-2024-38277 | 0.00 | — | 0.00 | Jun 18, 2024 | A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two. | |||
| CVE-2022-24732 | — | 0.00 | — | 0.00 | Mar 9, 2022 | Maddy Mail Server is an open source SMTP compatible email server. Versions of maddy prior to 0.5.4 do not implement password expiry or account expiry checking when authenticating using PAM. Users are advised to upgrade. Users unable to upgrade should manually remove expired… | ||
| CVE-2019-10643 | 0.00 | — | 0.01 | Apr 17, 2019 | Contao 4.7 allows Use of a Key Past its Expiration Date. | |||
| CVE-2013-2104 | 0.00 | — | 0.02 | Jan 21, 2014 | python-keystoneclient before 0.2.4, as used in OpenStack Keystone (Folsom), does not properly check expiry for PKI tokens, which allows remote authenticated users to (1) retain use of a token after it has expired, or (2) use a revoked token once it expires. | |||
| CVE-2012-5563 | 0.00 | — | 0.03 | Dec 18, 2012 | OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a… |
- risk 0.46cvss 8.1epss 0.01
OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to re-resolve authentication per-request, enabling attackers to use rotated-out bearer…
- risk 0.27cvss 4.1epss 0.00
The Fedora Secure Boot CA certificate shipped with shim in Fedora was expired which could lead to old or invalid signed boot components being loaded.
- risk 0.19cvss —epss 0.00
## Summary Password-reset tokens are generated using `conf.Auth.ActivateCodeLives` (the account-activation lifetime), not `conf.Auth.ResetPasswordCodeLives`. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification…
- CVE-2024-7318Sep 9, 2024risk 0.00cvss —epss 0.00
A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1…
- CVE-2024-38277Jun 18, 2024risk 0.00cvss —epss 0.00
A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two.
- CVE-2022-24732Mar 9, 2022risk 0.00cvss —epss 0.00
Maddy Mail Server is an open source SMTP compatible email server. Versions of maddy prior to 0.5.4 do not implement password expiry or account expiry checking when authenticating using PAM. Users are advised to upgrade. Users unable to upgrade should manually remove expired…
- CVE-2019-10643Apr 17, 2019risk 0.00cvss —epss 0.01
Contao 4.7 allows Use of a Key Past its Expiration Date.
- CVE-2013-2104Jan 21, 2014risk 0.00cvss —epss 0.02
python-keystoneclient before 0.2.4, as used in OpenStack Keystone (Folsom), does not properly check expiry for PKI tokens, which allows remote authenticated users to (1) retain use of a token after it has expired, or (2) use a revoked token once it expires.
- CVE-2012-5563Dec 18, 2012risk 0.00cvss —epss 0.03
OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a…