CWE-613
Insufficient Session Expiration
Description
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (239)
page 7 of 12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-31995 | Med | 0.21 | 4.3 | 0.00 | Apr 10, 2024 | `@digitalbazaar/zcap` provides JavaScript reference implementation for Authorization Capabilities. Prior to version 9.0.1, when invoking a capability with a chain depth of 2, i.e., it is delegated directly from the root capability, the `expires` property is not properly checked… | ||
| CVE-2026-41519 | Med | 0.20 | 4.2 | 0.00 | May 7, 2026 | Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cycle_session_keys()", but DRF API tokens ("wlu_*" prefix) stored in "authtoken_token" are not revoked. This issue has been… | ||
| CVE-2026-3401 | Low | 0.20 | 3.1 | 0.00 | Mar 2, 2026 | A weakness has been identified in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown part. This manipulation causes session expiration. Remote exploitation of the attack is possible. The complexity of an attack is rather high. It is… | ||
| CVE-2026-1190 | — | Low | 0.20 | 3.1 | 0.00 | Jan 26, 2026 | A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the… | |
| CVE-2025-46336 | Med | 0.20 | 4.2 | 0.00 | May 8, 2025 | Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the… | ||
| CVE-2026-52809 | med | 0.19 | — | 0.00 | Jun 23, 2026 | ## Summary Password-reset tokens are generated using `conf.Auth.ActivateCodeLives` (the account-activation lifetime), not `conf.Auth.ResetPasswordCodeLives`. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification… | ||
| CVE-2026-1272 | Low | 0.18 | 2.7 | 0.00 | Apr 23, 2026 | IBM Guardium Data Protection 12.0, 12.1, and 12.2 is vulnerable to Security Misconfiguration vulnerability in the user access control panel. | ||
| CVE-2026-34454 | Low | 0.16 | 3.5 | 0.00 | Apr 14, 2026 | OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout… | ||
| CVE-2025-52661 | Low | 0.16 | 2.4 | 0.00 | Jan 19, 2026 | HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised. | ||
| CVE-2025-0138 | Low | 0.13 | — | 0.00 | May 14, 2025 | Web sessions in the web interface of Palo Alto Networks Prisma® Cloud Compute Edition do not expire when users are deleted, which makes Prisma Cloud Compute Edition susceptible to unauthorized access. Compute in Prisma Cloud Enterprise Edition is not affected by this issue. | ||
| CVE-2025-4754 | Low | 0.08 | — | 0.00 | Jun 17, 2025 | Insufficient Session Expiration vulnerability in ash-project ash_authentication_phoenix allows Session Hijacking. This vulnerability is associated with program files lib/ash_authentication_phoenix/controller.ex. This issue affects ash_authentication_phoenix until 2.10.0. | ||
| CVE-2026-55423 | 0.00 | — | 0.00 | Jun 19, 2026 | ### Summary The logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. ### Details Not in auto login mode. Hosted on localhost. `access_token_lf` remains present in both Local Storage and Cookies. `refresh_token_lf`… | |||
| CVE-2026-54779 | 0.00 | — | — | Jun 19, 2026 | ### Impact When enabling DetectReplayedTokens, a token can be replayed and will be detected despite it being reused. ### Patches Fixed in CoreWCF v1.8.1 and v1.9.1 ### Workarounds Provide your own implementation of `ITokenReplayCache` with the correct behavior. | |||
| CVE-2026-55617 | 0.00 | — | — | Jun 18, 2026 | ### Impact Hydro contains an insufficient session expiration vulnerability in its session recreation logic. When a session is recreated, including during logout or other session renewal flows, Hydro creates a new session token but does not delete the previous server-side… | |||
| CVE-2026-53928 | 0.00 | — | 0.00 | Jun 17, 2026 | ### Summary A stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. ### Details `passwordChange` and `passwordReset` deleted the user's refresh tokens, but `passwordForgot` only rotated… | |||
| CVE-2026-53926 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Summary OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out. ### Details `revokeAllOAuthTokensByUser` in the users… | |||
| CVE-2026-46554 | low | 0.00 | — | 0.00 | May 21, 2026 | ### Summary Deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. ### Details The API token deletion path removed the database row but did not evict the token-value… | ||
| CVE-2026-30224 | 0.00 | — | 0.00 | Mar 6, 2026 | OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry… | |||
| CVE-2026-28396 | 0.00 | — | 0.00 | Mar 2, 2026 | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password.… | |||
| CVE-2026-27575 | — | 0.00 | — | 0.00 | Feb 25, 2026 | Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes… |
- risk 0.21cvss 4.3epss 0.00
`@digitalbazaar/zcap` provides JavaScript reference implementation for Authorization Capabilities. Prior to version 9.0.1, when invoking a capability with a chain depth of 2, i.e., it is delegated directly from the root capability, the `expires` property is not properly checked…
- risk 0.20cvss 4.2epss 0.00
Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cycle_session_keys()", but DRF API tokens ("wlu_*" prefix) stored in "authtoken_token" are not revoked. This issue has been…
- risk 0.20cvss 3.1epss 0.00
A weakness has been identified in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown part. This manipulation causes session expiration. Remote exploitation of the attack is possible. The complexity of an attack is rather high. It is…
- risk 0.20cvss 3.1epss 0.00
A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the…
- risk 0.20cvss 4.2epss 0.00
Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the…
- risk 0.19cvss —epss 0.00
## Summary Password-reset tokens are generated using `conf.Auth.ActivateCodeLives` (the account-activation lifetime), not `conf.Auth.ResetPasswordCodeLives`. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification…
- risk 0.18cvss 2.7epss 0.00
IBM Guardium Data Protection 12.0, 12.1, and 12.2 is vulnerable to Security Misconfiguration vulnerability in the user access control panel.
- risk 0.16cvss 3.5epss 0.00
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout…
- risk 0.16cvss 2.4epss 0.00
HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised.
- risk 0.13cvss —epss 0.00
Web sessions in the web interface of Palo Alto Networks Prisma® Cloud Compute Edition do not expire when users are deleted, which makes Prisma Cloud Compute Edition susceptible to unauthorized access. Compute in Prisma Cloud Enterprise Edition is not affected by this issue.
- risk 0.08cvss —epss 0.00
Insufficient Session Expiration vulnerability in ash-project ash_authentication_phoenix allows Session Hijacking. This vulnerability is associated with program files lib/ash_authentication_phoenix/controller.ex. This issue affects ash_authentication_phoenix until 2.10.0.
- CVE-2026-55423Jun 19, 2026risk 0.00cvss —epss 0.00
### Summary The logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. ### Details Not in auto login mode. Hosted on localhost. `access_token_lf` remains present in both Local Storage and Cookies. `refresh_token_lf`…
- CVE-2026-54779Jun 19, 2026risk 0.00cvss —epss —
### Impact When enabling DetectReplayedTokens, a token can be replayed and will be detected despite it being reused. ### Patches Fixed in CoreWCF v1.8.1 and v1.9.1 ### Workarounds Provide your own implementation of `ITokenReplayCache` with the correct behavior.
- CVE-2026-55617Jun 18, 2026risk 0.00cvss —epss —
### Impact Hydro contains an insufficient session expiration vulnerability in its session recreation logic. When a session is recreated, including during logout or other session renewal flows, Hydro creates a new session token but does not delete the previous server-side…
- CVE-2026-53928Jun 17, 2026risk 0.00cvss —epss 0.00
### Summary A stolen refresh token survived a password-forgot flow and could be used to mint fresh JWTs even after the user reset their password. ### Details `passwordChange` and `passwordReset` deleted the user's refresh tokens, but `passwordForgot` only rotated…
- CVE-2026-53926Jun 5, 2026risk 0.00cvss —epss 0.00
### Summary OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out. ### Details `revokeAllOAuthTokensByUser` in the users…
- risk 0.00cvss —epss 0.00
### Summary Deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. ### Details The API token deletion path removed the database row but did not evict the token-value…
- CVE-2026-30224Mar 6, 2026risk 0.00cvss —epss 0.00
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry…
- CVE-2026-28396Mar 2, 2026risk 0.00cvss —epss 0.00
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password.…
- CVE-2026-27575Feb 25, 2026risk 0.00cvss —epss 0.00
Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes…