CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
876 vulnerabilities reference this CWE, most recent first.
GHSA-2W7H-66VJ-246P
Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2025-04-20 03:41OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session.
{
"affected": [],
"aliases": [
"CVE-2017-11667"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-26T20:29:00Z",
"severity": "HIGH"
},
"details": "OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expiry, which allows remote attackers to perform APIv3 requests indefinitely by leveraging a hijacked session.",
"id": "GHSA-2w7h-66vj-246p",
"modified": "2025-04-20T03:41:28Z",
"published": "2022-05-13T01:42:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11667"
},
{
"type": "WEB",
"url": "https://github.com/opf/openproject/commit/0fdd7578909d2ec50abc275fc4962e99566437ee"
},
{
"type": "WEB",
"url": "https://www.openproject.org/openproject-6-1-6-released-security-fix"
},
{
"type": "WEB",
"url": "https://www.openproject.org/openproject-7-0-3-released"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2W9P-MQX6-CVQC
Vulnerability from github – Published: 2023-10-13 15:30 – Updated: 2024-04-04 08:37A insufficient session expiration in Fortinet FortiEDR version 5.0.0 through 5.0.1 allows attacker to execute unauthorized code or commands via api request
{
"affected": [],
"aliases": [
"CVE-2023-33303"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-13T15:15:43Z",
"severity": "HIGH"
},
"details": "A insufficient session expiration in Fortinet FortiEDR version 5.0.0 through 5.0.1 allows attacker to execute unauthorized code or commands via api request",
"id": "GHSA-2w9p-mqx6-cvqc",
"modified": "2024-04-04T08:37:57Z",
"published": "2023-10-13T15:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33303"
},
{
"type": "WEB",
"url": "https://fortiguard.com/psirt/FG-IR-23-007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2WGG-6F6V-VVVX
Vulnerability from github – Published: 2025-06-03 18:30 – Updated: 2025-06-03 18:30IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 does not invalidate session after a logout which could allow a user to impersonate another user on the system.
{
"affected": [],
"aliases": [
"CVE-2025-25019"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-03T16:15:23Z",
"severity": "MODERATE"
},
"details": "IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 does not invalidate session after a logout which could allow a user to impersonate another user on the system.",
"id": "GHSA-2wgg-6f6v-vvvx",
"modified": "2025-06-03T18:30:41Z",
"published": "2025-06-03T18:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25019"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7235432"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-2X2G-FCPP-7FR9
Vulnerability from github – Published: 2026-02-20 18:31 – Updated: 2026-02-20 18:31HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime (default one year), an authenticated client could use a refresh token in place of an access token to maintain long-term access without token rotation. Additionally, old access tokens remained valid after refresh, enabling concurrent or extended use beyond intended session boundaries. This vulnerability could allow prolonged unauthorized access if a token is disclosed.
{
"affected": [],
"aliases": [
"CVE-2026-1842"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-20T17:25:50Z",
"severity": "MODERATE"
},
"details": "HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime (default one year), an authenticated client could use a refresh token in place of an access token to maintain long-term access without token rotation. Additionally, old access tokens remained valid after refresh, enabling concurrent or extended use beyond intended session boundaries. This vulnerability could allow prolonged unauthorized access if a token is disclosed.",
"id": "GHSA-2x2g-fcpp-7fr9",
"modified": "2026-02-20T18:31:39Z",
"published": "2026-02-20T18:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1842"
},
{
"type": "WEB",
"url": "https://advisories.softiron.cloud"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-2XWX-QWXW-X89V
Vulnerability from github – Published: 2023-03-01 09:30 – Updated: 2023-03-04 03:30An insufficient session expiration vulnerability exists in the ArubaOS command line interface. Successful exploitation of this vulnerability allows an attacker to keep a session running on an affected device after the removal of the impacted account
{
"affected": [],
"aliases": [
"CVE-2023-22771"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-01T08:15:00Z",
"severity": "LOW"
},
"details": "An insufficient session expiration vulnerability exists in the ArubaOS command line interface. Successful exploitation of this vulnerability allows an attacker to keep a session running on an affected device after the removal of the impacted account",
"id": "GHSA-2xwx-qwxw-x89v",
"modified": "2023-03-04T03:30:18Z",
"published": "2023-03-01T09:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22771"
},
{
"type": "WEB",
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-002.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-32FR-75XX-54F3
Vulnerability from github – Published: 2025-11-18 21:32 – Updated: 2025-11-19 21:31The Sencore SMP100 SMP Media Platform (firmware versions V4.2.160, V60.1.4, V60.1.29) is vulnerable to session hijacking due to improper session management on the /UserManagement.html endpoint. Attackers who are on the same network as the victim and have access to the target's logged-in session can access the endpoint and add new users without any authentication. This allows attackers to gain unauthorized access to the system and perform malicious activities.
{
"affected": [],
"aliases": [
"CVE-2025-63226"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-18T20:15:47Z",
"severity": "MODERATE"
},
"details": "The Sencore SMP100 SMP Media Platform (firmware versions V4.2.160, V60.1.4, V60.1.29) is vulnerable to session hijacking due to improper session management on the /UserManagement.html endpoint. Attackers who are on the same network as the victim and have access to the target\u0027s logged-in session can access the endpoint and add new users without any authentication. This allows attackers to gain unauthorized access to the system and perform malicious activities.",
"id": "GHSA-32fr-75xx-54f3",
"modified": "2025-11-19T21:31:23Z",
"published": "2025-11-18T21:32:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63226"
},
{
"type": "WEB",
"url": "https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63226_Sencore_SMP100_Session_Hijacking"
},
{
"type": "WEB",
"url": "https://www.sencore.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-332G-G9J2-2JVJ
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16IBM Sterling File Gateway User Interface 2.2.0.0 through 6.1.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 196944.
{
"affected": [],
"aliases": [
"CVE-2021-20473"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-07T18:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Sterling File Gateway User Interface 2.2.0.0 through 6.1.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 196944.",
"id": "GHSA-332g-g9j2-2jvj",
"modified": "2022-05-24T19:16:53Z",
"published": "2022-05-24T19:16:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20473"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/196944"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6496785"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-339V-266X-79XR
Vulnerability from github – Published: 2026-07-09 20:52 – Updated: 2026-07-09 20:52Summary
Two related authorization gaps let a host that should no longer be trusted obtain a fresh, valid Nebula certificate, because nebula-mgmt does not re-evaluate revocation/authorization state at certificate issuance time — only at poll time.
1. Blocklist not enforced at sign / re-enroll time
internal/api/enroll.go:128 calls caMgr.Sign(...) without consulting the blocklist. The blocklist is only checked in the poll path (internal/api/updates.go:57, fingerprintInBlocklist). The blocklist is keyed by certificate fingerprint (internal/store/sqlite.go), so a re-enrollment produces a new fingerprint that is not in the blocklist.
mintEnrollmentTokenForHost (internal/api/hosts.go:491) authorizes the caller via canAccessHost but does not check the host status. There is no guard preventing a blocked host from transitioning back to enrolled (internal/store/sqlite.go, enrollHostInTx updates status unconditionally).
Impact: A host that an operator has blocked can be silently un-blocked by issuing a new enrollment token and re-enrolling — it receives a fresh certificate (new fingerprint) that passes all subsequent poll-time blocklist checks. Revocation is therefore not durable. Requires an operator action (minting a re-enroll token), so this is an integrity/operational-revocation failure rather than an unauthenticated bypass.
2. Renewal does not re-validate operator / CA status
Auto-renewal at poll time (internal/api/updates.go:285-319, signHostCert) reads host.Name, host.Groups, host.NebulaIPs from the DB and re-signs without checking whether the owning operator is still active or the CA still valid. DisableOperator (internal/store/sqlite_operators.go) revokes sessions and API keys but does not retire the operator's CAs, and pki/signer.go checks only CA cert time-expiry, not operator/CA status.
Impact: A host enrolled under an operator who is later disabled continues to renew its certificate indefinitely. Offboarding an operator does not cut off the hosts they provisioned.
Affected versions
Latest tagged release (v0.3.6) and main.
Remediation
- Call a blocklist/status guard inside
handleEnrollandsignHostCertbeforecaMgr.Sign(...); refuse issuance for a host whose status isblockedor whose previous fingerprint is on the blocklist. Require an explicit unblock before re-enroll. - At renewal, re-resolve the owning operator/CA status and reject renewal if the operator is disabled or the CA retired (force re-enrollment instead).
Discovery
Found during an internal source + offensive security audit (tracking issue #178). Adversarially cross-verified against the code paths above.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/forgekeep/nebula-mesh"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53602"
],
"database_specific": {
"cwe_ids": [
"CWE-613",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-09T20:52:27Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nTwo related authorization gaps let a host that should no longer be trusted obtain a fresh, valid Nebula certificate, because nebula-mgmt does not re-evaluate revocation/authorization state at certificate *issuance* time \u2014 only at poll time.\n\n## 1. Blocklist not enforced at sign / re-enroll time\n\n`internal/api/enroll.go:128` calls `caMgr.Sign(...)` without consulting the blocklist. The blocklist is only checked in the poll path (`internal/api/updates.go:57`, `fingerprintInBlocklist`). The blocklist is keyed by certificate *fingerprint* (`internal/store/sqlite.go`), so a re-enrollment produces a new fingerprint that is not in the blocklist.\n\n`mintEnrollmentTokenForHost` (`internal/api/hosts.go:491`) authorizes the caller via `canAccessHost` but does **not** check the host status. There is no guard preventing a `blocked` host from transitioning back to `enrolled` (`internal/store/sqlite.go`, `enrollHostInTx` updates status unconditionally).\n\n**Impact:** A host that an operator has blocked can be silently un-blocked by issuing a new enrollment token and re-enrolling \u2014 it receives a fresh certificate (new fingerprint) that passes all subsequent poll-time blocklist checks. Revocation is therefore not durable. Requires an operator action (minting a re-enroll token), so this is an integrity/operational-revocation failure rather than an unauthenticated bypass.\n\n## 2. Renewal does not re-validate operator / CA status\n\nAuto-renewal at poll time (`internal/api/updates.go:285-319`, `signHostCert`) reads `host.Name`, `host.Groups`, `host.NebulaIPs` from the DB and re-signs without checking whether the owning operator is still active or the CA still valid. `DisableOperator` (`internal/store/sqlite_operators.go`) revokes sessions and API keys but does not retire the operator\u0027s CAs, and `pki/signer.go` checks only CA cert time-expiry, not operator/CA status.\n\n**Impact:** A host enrolled under an operator who is later disabled continues to renew its certificate indefinitely. Offboarding an operator does not cut off the hosts they provisioned.\n\n## Affected versions\n\nLatest tagged release (v0.3.6) and `main`.\n\n## Remediation\n\n1. Call a blocklist/status guard inside `handleEnroll` and `signHostCert` **before** `caMgr.Sign(...)`; refuse issuance for a host whose status is `blocked` or whose previous fingerprint is on the blocklist. Require an explicit unblock before re-enroll.\n2. At renewal, re-resolve the owning operator/CA status and reject renewal if the operator is disabled or the CA retired (force re-enrollment instead).\n\n## Discovery\n\nFound during an internal source + offensive security audit (tracking issue #178). Adversarially cross-verified against the code paths above.",
"id": "GHSA-339v-266x-79xr",
"modified": "2026-07-09T20:52:27Z",
"published": "2026-07-09T20:52:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/forgekeep/nebula-mesh/security/advisories/GHSA-339v-266x-79xr"
},
{
"type": "WEB",
"url": "https://github.com/forgekeep/nebula-mesh/issues/178"
},
{
"type": "PACKAGE",
"url": "https://github.com/forgekeep/nebula-mesh"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "nebula-mesh: Host revocation is not durable - blocked/offboarded hosts can regain a valid certificate"
}
GHSA-33W6-PM3H-V82J
Vulnerability from github – Published: 2025-10-31 00:30 – Updated: 2025-11-06 18:32Nagios Fusion versions prior to R2.1 contain a vulnerability due to the application not requiring re-authentication or session rotation when a user has enabled two-factor authentication (2FA). As a result, an adversary who has obtained a valid session could continue using the active session after the target user enabled 2FA, potentially preventing the legitimate user from locking the attacker out and enabling persistent account takeover.
{
"affected": [],
"aliases": [
"CVE-2025-34269"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-30T22:15:47Z",
"severity": "HIGH"
},
"details": "Nagios Fusion versions prior to R2.1 contain a vulnerability due to the application not requiring re-authentication or session rotation when a user has enabled two-factor authentication (2FA). As a result, an adversary who has obtained a valid session could continue using the active session after the target user enabled 2FA, potentially preventing the legitimate user from locking the attacker out and enabling persistent account takeover.",
"id": "GHSA-33w6-pm3h-v82j",
"modified": "2025-11-06T18:32:48Z",
"published": "2025-10-31T00:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-34269"
},
{
"type": "WEB",
"url": "https://www.nagios.com/changelog/nagios-fusion"
},
{
"type": "WEB",
"url": "https://www.nagios.com/products/security/#fusion"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/nagios-fusion-2fa-lack-of-reauthentication-or-session-rotation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3458-R943-HMX4
Vulnerability from github – Published: 2026-03-27 18:17 – Updated: 2026-03-27 21:47Summary
A vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change.
Impact
If an attacker had prior access to a valid password reset token, they could reuse that token within its validity window to reset the user’s password after the user has already changed it. This could result in temporary account takeover.
Exploitation requires prior compromise of a password reset token and is further constrained by the token’s 24-hour expiration period. The issue does not allow discovery of reset tokens, does not bypass authentication on its own, and does not affect accounts without an existing valid reset token.
Workarounds
Until patched, users who believe a password reset token may have been exposed should wait for the token to expire before reusing the account, or contact a Fleet administrator to invalidate active sessions.
For more information
If there are any questions or comments about this advisory:
Email Fleet at security@fleetdm.com
Join #fleet in osquery Slack
Credits
Fleet thanks @fuzzztf for responsibly reporting this issue.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/fleetdm/fleet/v4"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.43.5-0.20260113202849-bbc1aef2987d"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26060"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-27T18:17:09Z",
"nvd_published_at": "2026-03-27T19:16:42Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nA vulnerability in Fleet\u2019s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change.\n\n### Impact\n\nIf an attacker had prior access to a valid password reset token, they could reuse that token within its validity window to reset the user\u2019s password after the user has already changed it. This could result in temporary account takeover.\n\nExploitation requires prior compromise of a password reset token and is further constrained by the token\u2019s 24-hour expiration period. The issue does not allow discovery of reset tokens, does not bypass authentication on its own, and does not affect accounts without an existing valid reset token.\n\n### Workarounds\n\nUntil patched, users who believe a password reset token may have been exposed should wait for the token to expire before reusing the account, or contact a Fleet administrator to invalidate active sessions.\n\n### For more information\n\nIf there are any questions or comments about this advisory:\n\nEmail Fleet at [security@fleetdm.com](mailto:security@fleetdm.com) \nJoin #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)\n\n### Credits\n\nFleet thanks @fuzzztf for responsibly reporting this issue.",
"id": "GHSA-3458-r943-hmx4",
"modified": "2026-03-27T21:47:33Z",
"published": "2026-03-27T18:17:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-3458-r943-hmx4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26060"
},
{
"type": "PACKAGE",
"url": "https://github.com/fleetdm/fleet"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Fleet: Password reset tokens remain valid after password change for 24 hours"
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.