CWE-613
Insufficient Session Expiration
Description
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (239)
page 6 of 12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-4643 | Med | 0.34 | — | 0.00 | Aug 29, 2025 | Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed). This issue has been… | ||
| CVE-2024-50562 | Med | 0.34 | 4.8 | 0.01 | Jun 10, 2025 | An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again,… | ||
| CVE-2026-45005 | Med | 0.32 | 6.0 | 0.00 | May 11, 2026 | OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured… | ||
| CVE-2017-12867 | Med | 0.31 | 5.9 | 0.01 | Aug 29, 2017 | The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset. | ||
| CVE-2025-48061 | Med | 0.29 | 5.6 | 0.00 | May 22, 2025 | wire-webapp is the web application for the open-source messaging service Wire. A change caused a regression resulting in sessions not being properly invalidated. A user that logged out of the Wire webapp, could have been automatically logged in again after re-opening the… | ||
| CVE-2026-42421 | Med | 0.28 | 5.4 | 0.00 | Apr 28, 2026 | OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing… | ||
| CVE-2026-41916 | Med | 0.28 | 5.4 | 0.00 | Apr 28, 2026 | OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, allowing attackers to bypass authentication… | ||
| CVE-2026-41356 | Med | 0.28 | 5.4 | 0.00 | Apr 23, 2026 | OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation. | ||
| CVE-2026-0971 | Med | 0.28 | 4.3 | 0.00 | Apr 21, 2026 | An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page. | ||
| CVE-2026-35462 | Med | 0.28 | 4.3 | 0.00 | Apr 7, 2026 | Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a… | ||
| CVE-2026-34362 | Med | 0.28 | 5.4 | 0.00 | Mar 27, 2026 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `verifyTokenSocket()` function in `plugin/YPTSocket/functions.php` has its token timeout validation commented out, causing WebSocket tokens to never expire despite being generated with a… | ||
| CVE-2025-12110 | Med | 0.28 | 5.4 | 0.00 | Oct 23, 2025 | A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes… | ||
| CVE-2025-11429 | Med | 0.28 | 5.4 | 0.00 | Oct 23, 2025 | A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the… | ||
| CVE-2025-4528 | Med | 0.28 | 4.3 | 0.00 | May 11, 2025 | A weakness has been identified in Dígitro NGC Explorer up to 3.44.15/3.48.21. This affects an unknown function. Executing a manipulation can lead to session expiration. The attack can be launched remotely. Upgrading to version 3.48.22 mitigates this issue. It is recommended to… | ||
| CVE-2026-46401 | Med | 0.27 | — | 0.00 | Jun 5, 2026 | HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.0 suffer from an improper session termination vulnerability where authentication tokens remain valid after user logout. This allows attackers who obtain valid tokens to maintain… | ||
| CVE-2026-41891 | Med | 0.27 | — | 0.00 | May 7, 2026 | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0 to before version 0.31.8.0, the auth filter has the deactivated/banned user check commented out. This issue has been… | ||
| CVE-2026-1163 | — | Med | 0.27 | 4.1 | 0.00 | Apr 8, 2026 | An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of… | |
| CVE-2016-0234 | Med | 0.26 | 4.0 | 0.00 | Aug 30, 2018 | IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 could allow a local user to obtain sensitive information when a previous user has logged out of the system but neglected to close their browser. IBM X-Force ID: 110303. | ||
| CVE-2025-46344 | Med | 0.25 | — | 0.00 | Apr 29, 2025 | The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal… | ||
| CVE-2024-29402 | Med | 0.21 | 4.3 | 0.00 | Apr 16, 2024 | cskefu v7 suffers from Insufficient Session Expiration, which allows attackers to exploit the old session for malicious activity. |
- risk 0.34cvss —epss 0.00
Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed). This issue has been…
- risk 0.34cvss 4.8epss 0.01
An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again,…
- risk 0.32cvss 6.0epss 0.00
OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload. Attackers with previously valid webhook route secrets can continue authenticating requests and invoking configured…
- risk 0.31cvss 5.9epss 0.01
The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 and earlier allows attackers with access to a secret token to extend its validity period by manipulating the prepended time offset.
- risk 0.29cvss 5.6epss 0.00
wire-webapp is the web application for the open-source messaging service Wire. A change caused a regression resulting in sessions not being properly invalidated. A user that logged out of the Wire webapp, could have been automatically logged in again after re-opening the…
- risk 0.28cvss 5.4epss 0.00
OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing…
- risk 0.28cvss 5.4epss 0.00
OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, allowing attackers to bypass authentication…
- risk 0.28cvss 5.4epss 0.00
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotation.
- risk 0.28cvss 4.3epss 0.00
An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page.
- risk 0.28cvss 4.3epss 0.00
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — is accepted indefinitely, allowing a…
- risk 0.28cvss 5.4epss 0.00
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `verifyTokenSocket()` function in `plugin/YPTSocket/functions.php` has its token timeout validation commented out, causing WebSocket tokens to never expire despite being generated with a…
- risk 0.28cvss 5.4epss 0.00
A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes…
- risk 0.28cvss 5.4epss 0.00
A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the…
- risk 0.28cvss 4.3epss 0.00
A weakness has been identified in Dígitro NGC Explorer up to 3.44.15/3.48.21. This affects an unknown function. Executing a manipulation can lead to session expiration. The attack can be launched remotely. Upgrading to version 3.48.22 mitigates this issue. It is recommended to…
- risk 0.27cvss —epss 0.00
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.0 suffer from an improper session termination vulnerability where authentication tokens remain valid after user logout. This allows attackers who obtain valid tokens to maintain…
- risk 0.27cvss —epss 0.00
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0 to before version 0.31.8.0, the auth filter has the deactivated/banned user check commented out. This issue has been…
- risk 0.27cvss 4.1epss 0.00
An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of…
- risk 0.26cvss 4.0epss 0.00
IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 could allow a local user to obtain sensitive information when a previous user has logged out of the system but neglected to close their browser. IBM X-Force ID: 110303.
- risk 0.25cvss —epss 0.00
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal…
- risk 0.21cvss 4.3epss 0.00
cskefu v7 suffers from Insufficient Session Expiration, which allows attackers to exploit the old session for malicious activity.