CWE-613
Insufficient Session Expiration
BaseIncomplete
Description
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (96)
page 4 of 5| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-40939 | Med | 0.37 | — | 0.00 | Apr 21, 2026 | The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired. This vulnerability is fixed in 2.1.0. | |
| CVE-2025-46741 | Med | 0.37 | 5.7 | 0.00 | May 12, 2025 | A suspended or recently logged-out user could continue to interact with Blueframe until the time-out period occurred. | |
| CVE-2017-14007 | Med | 0.36 | 5.6 | 0.00 | Oct 17, 2017 | An Insufficient Session Expiration issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The user's session is available for an extended period beyond the last activity, allowing an attacker to reuse an old session for authorization. | |
| CVE-2026-44873 | Med | 0.35 | 5.4 | 0.00 | May 12, 2026 | A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with compromised credentials could exploit this behavior to maintain unauthorized access even after the account has been disabled. | |
| CVE-2026-25720 | Med | 0.35 | 5.4 | 0.00 | Apr 24, 2026 | A vulnerability exists in SenseLive X3050’s web management interface due to improper session lifetime enforcement, allowing authenticated sessions to remain active for extended periods without requiring re-authentication. An attacker with access to a previously authenticated session could continue interacting with administrative functions long after legitimate user activity has ceased. | |
| CVE-2026-6515 | Med | 0.35 | 5.4 | 0.00 | Apr 22, 2026 | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed a user to use invalidated or incorrectly scoped credentials to access Virtual Registries under certain conditions. | |
| CVE-2026-6848 | Med | 0.35 | 5.4 | 0.00 | Apr 22, 2026 | A flaw was found in Red Hat Quay. When Red Hat Quay requests password re-verification for sensitive operations, such as token generation or robot account creation, the re-authentication prompt can be bypassed. This allows a user with a timed-out session, or an attacker with access to an idle authenticated browser session, to perform privileged actions without providing valid credentials. The vulnerability enables unauthorized execution of sensitive operations despite the user interface displaying an error for invalid credentials. | |
| CVE-2026-35594 | Med | 0.35 | 6.5 | 0.00 | Apr 10, 2026 | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or downgrades its permissions, all previously issued JWTs continue to grant the original permission level for up to 72 hours (the default service.jwtttl). This vulnerability is fixed in 2.3.0. | |
| CVE-2026-34362 | Med | 0.35 | 5.4 | 0.00 | Mar 27, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `verifyTokenSocket()` function in `plugin/YPTSocket/functions.php` has its token timeout validation commented out, causing WebSocket tokens to never expire despite being generated with a 12-hour timeout. This allows captured or legitimately obtained tokens to provide permanent WebSocket access, even after user accounts are deleted, banned, or demoted from admin. Admin tokens grant access to real-time connection data for all online users including IP addresses, browser info, and page locations. Commit 5d5237121bf82c24e9e0fdd5bc1699f1157783c5 fixes the issue. | |
| CVE-2024-57056 | Med | 0.35 | 5.4 | 0.00 | Feb 18, 2025 | Incorrect cookie session handling in WombatDialer before 25.02 results in the full session identity being written to system logs and could be used by a malicious attacker to impersonate an existing user session. | |
| CVE-2025-54547 | Med | 0.34 | 5.3 | 0.00 | Oct 29, 2025 | On affected platforms, if SSH session multiplexing was configured on the client side, SSH sessions (e.g, scp, sftp) multiplexed onto the same channel could perform file-system operations after a configured session timeout expired | |
| CVE-2025-4643 | Med | 0.34 | — | 0.00 | Aug 29, 2025 | Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed). This issue has been fixed in version 3.44.0 of Payload. | |
| CVE-2017-3215 | Med | 0.34 | 5.3 | 0.00 | Jun 20, 2017 | The Milwaukee ONE-KEY Android mobile application uses bearer tokens with an expiration of one year. This bearer token, in combination with a user_id can be used to perform user actions. | |
| CVE-2017-12867 | Med | 0.31 | 5.9 | 0.00 | Aug 29, 2017 | The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset. | |
| CVE-2025-48061 | Med | 0.29 | 5.6 | 0.00 | May 22, 2025 | wire-webapp is the web application for the open-source messaging service Wire. A change caused a regression resulting in sessions not being properly invalidated. A user that logged out of the Wire webapp, could have been automatically logged in again after re-opening the application. This does not happen when the user is logged in as a temporary user by selecting "This is a public computer" during login or the user selects "Delete all your personal information and conversations on this device" upon logout. The underlying issue has been fixed with wire-webapp version 2025-05-20-production.0. As a workaround, this behavior can be prevented by either deleting all information upon logout as well as logging in as a temporary client. | |
| CVE-2026-42421 | Med | 0.28 | 5.4 | 0.00 | Apr 28, 2026 | OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing shared-token sessions. | |
| CVE-2026-41916 | Med | 0.28 | 5.4 | 0.00 | Apr 28, 2026 | OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, allowing attackers to bypass authentication controls through config reload operations. | |
| CVE-2026-41356 | Med | 0.28 | 5.4 | 0.00 | Apr 23, 2026 | OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation. | |
| CVE-2026-0971 | Med | 0.28 | 4.3 | 0.00 | Apr 21, 2026 | An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page. | |
| CVE-2026-35462 | Med | 0.28 | 4.3 | 0.00 | Apr 7, 2026 | Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a user whose key has expired to continue accessing all protected endpoints as if the key were still valid. This vulnerability is fixed in 26.4.0. |