VYPR

CWE-613

Insufficient Session Expiration

BaseIncomplete

Description

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (239)

page 5 of 12
  • CVE-2026-40934MedMay 5, 2026
    risk 0.37cvss 6.8epss 0.00

    Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their…

  • CVE-2026-40939MedApr 21, 2026
    risk 0.37cvss epss 0.00

    The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access…

  • CVE-2025-46741MedMay 12, 2025
    risk 0.37cvss 5.7epss 0.00

    A suspended or recently logged-out user could continue to interact with Blueframe until the time-out period occurred.

  • CVE-2017-1693MedJan 19, 2018
    risk 0.36cvss 5.6epss 0.01

    IBM Integration Bus 9.0 and 10.0 could allow an attacker that has captured a valid session id to hijack another users session during a small timeframe before the session times out. IBM X-Force ID: 134164.

  • CVE-2017-14007MedOct 17, 2017
    risk 0.36cvss 5.6epss 0.01

    An Insufficient Session Expiration issue was discovered in ProMinent MultiFLEX M10a Controller web interface. The user's session is available for an extended period beyond the last activity, allowing an attacker to reuse an old session for authorization.

  • CVE-2026-53830MedJun 12, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenClaw before 2026.4.22 contains a webhook secret revocation bypass vulnerability allowing callers with old Slack and Zalo webhook secrets to remain active after secrets.reload. Attackers can exploit the stale-secret window to deliver webhook events after operator-expected…

  • CVE-2026-53824MedJun 12, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenClaw before 2026.4.24 contains a token revocation vulnerability allowing callers with revoked slash tokens to continue executing commands during monitor refresh windows. Attackers can exploit stale token acceptance to invoke slash command behavior briefly after token…

  • CVE-2026-48726MedJun 1, 2026
    risk 0.35cvss 6.5epss 0.00

    A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for `FabAuthManager` and `KeycloakAuthManager` did not actually reach the underlying `revoke_token()` call, so the JWT remained…

  • CVE-2026-22706MedMay 14, 2026
    risk 0.35cvss 6.5epss 0.00

    Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the user's existing refresh-token sessions by default. The refresh-token invalidation step in the users-permissions and…

  • CVE-2026-5545MedMay 13, 2026
    risk 0.35cvss 6.5epss 0.00

    libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing…

  • CVE-2026-44873MedMay 12, 2026
    risk 0.35cvss 5.4epss 0.00

    A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration.…

  • CVE-2026-25720MedApr 24, 2026
    risk 0.35cvss 5.4epss 0.00

    A vulnerability exists in SenseLive X3050’s web management interface due to improper session lifetime enforcement, allowing authenticated sessions to remain active for extended periods without requiring re-authentication. An attacker with access to a previously authenticated…

  • CVE-2026-6515MedApr 22, 2026
    risk 0.35cvss 5.4epss 0.00

    GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.9.6, 18.10 before 18.10.4, and 18.11 before 18.11.1 that could have allowed a user to use invalidated or incorrectly scoped credentials to access Virtual Registries under certain conditions.

  • CVE-2026-6848MedApr 22, 2026
    risk 0.35cvss 5.4epss 0.00

    A flaw was found in Red Hat Quay. When Red Hat Quay requests password re-verification for sensitive operations, such as token generation or robot account creation, the re-authentication prompt can be bypassed. This allows a user with a timed-out session, or an attacker with…

  • CVE-2026-40587MedApr 21, 2026
    risk 0.35cvss 6.5epss 0.00

    blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a user changes their password via the profile edit page, or when a password reset is completed via the reset link, neither operation invalidates existing authenticated sessions for that user. A…

  • CVE-2026-35594MedApr 10, 2026
    risk 0.35cvss 6.5epss 0.00

    Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization objects entirely from JWT claims without any server-side database validation. When…

  • CVE-2024-57056MedFeb 18, 2025
    risk 0.35cvss 5.4epss 0.00

    Incorrect cookie session handling in WombatDialer before 25.02 results in the full session identity being written to system logs and could be used by a malicious attacker to impersonate an existing user session.

  • CVE-2017-3215MedJun 20, 2017
    risk 0.35cvss 5.3epss 0.01

    The Milwaukee ONE-KEY Android mobile application uses bearer tokens with an expiration of one year. This bearer token, in combination with a user_id can be used to perform user actions.

  • CVE-2026-44188MedJun 15, 2026
    risk 0.34cvss 5.3epss 0.00

    A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth (Open Authorization) access token before a…

  • CVE-2025-54547MedOct 29, 2025
    risk 0.34cvss 5.3epss 0.00

    On affected platforms, if SSH session multiplexing was configured on the client side, SSH sessions (e.g, scp, sftp) multiplexed onto the same channel could perform file-system operations after a configured session timeout expired