Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

876 vulnerabilities reference this CWE, most recent first.

GHSA-6944-QQG6-VMM7

Vulnerability from github – Published: 2023-10-10 15:30 – Updated: 2024-04-04 08:29
VLAI
Details

When a non-admin user has been assigned an administrator role via an iControl REST PUT request and later the user's role is reverted back to a non-admin role via the Configuration utility, tmsh, or iControl REST. BIG-IP non-admin user can still have access to iControl REST admin resource.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42768"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-10T13:15:21Z",
    "severity": "HIGH"
  },
  "details": "\nWhen a non-admin user has been assigned an administrator role via an iControl REST PUT request and later the user\u0027s role is reverted back to a non-admin role via the Configuration utility, tmsh, or iControl REST. BIG-IP non-admin user can still have access to iControl REST admin resource.\u00a0\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
  "id": "GHSA-6944-qqg6-vmm7",
  "modified": "2024-04-04T08:29:12Z",
  "published": "2023-10-10T15:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42768"
    },
    {
      "type": "WEB",
      "url": "https://my.f5.com/manage/s/article/K26910459"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6CP7-G972-W9M9

Vulnerability from github – Published: 2022-03-07 16:59 – Updated: 2022-03-18 20:12
VLAI
Summary
Use of a Key Past its Expiration Date and Insufficient Session Expiration in Maddy Mail Server
Details

Impact

Any configuration on any maddy version <0.5.4 using auth.pam is affected.

No password expiry or account expiry checking is done when authenticating using PAM.

Patches

Patch is available as part of the 0.5.4 release.

Workarounds

If /etc/shadow authentication is used, it is possible to replace auth.pam with auth.shadow which is not affected.

It is possible to blacklist expired accounts via existing filtering mechanisms (e.g. auth_map to invalid accounts in storage.imapsql).

References

  • https://github.com/foxcpp/maddy/blob/3412e59a2c92106e194fa69f2f1017c020037c9c/internal/auth/pam/pam.c
  • https://linux.die.net/man/3/pam_acct_mgmt

For more information

If you have any questions or comments about this advisory: * Open an issue in https://github.com/foxcpp/maddy * Email fox.cpp@disroot.org

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/foxcpp/maddy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24732"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-324",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-07T16:59:31Z",
    "nvd_published_at": "2022-03-09T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nAny configuration on any maddy version \u003c0.5.4 using auth.pam is affected.\n\nNo password expiry or account expiry checking is done when authenticating using PAM.\n\n### Patches\n\nPatch is available as part of the 0.5.4 release.\n\n### Workarounds\n\nIf /etc/shadow authentication is used, it is possible to replace auth.pam with auth.shadow which is not affected.\n\nIt is possible to blacklist expired accounts via existing filtering mechanisms (e.g. auth_map to invalid accounts in storage.imapsql).\n\n### References\n\n* https://github.com/foxcpp/maddy/blob/3412e59a2c92106e194fa69f2f1017c020037c9c/internal/auth/pam/pam.c\n* https://linux.die.net/man/3/pam_acct_mgmt\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in https://github.com/foxcpp/maddy\n* Email fox.cpp@disroot.org\n",
  "id": "GHSA-6cp7-g972-w9m9",
  "modified": "2022-03-18T20:12:30Z",
  "published": "2022-03-07T16:59:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/foxcpp/maddy/security/advisories/GHSA-6cp7-g972-w9m9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24732"
    },
    {
      "type": "WEB",
      "url": "https://github.com/foxcpp/maddy/commit/7ee6a39c6a1939b376545f030a5efd6f90913583"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/foxcpp/maddy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/foxcpp/maddy/releases/tag/v0.5.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Use of a Key Past its Expiration Date and Insufficient Session Expiration in Maddy Mail Server"
}

GHSA-6G7G-56FM-F8MP

Vulnerability from github – Published: 2026-05-13 18:30 – Updated: 2026-05-13 18:30
VLAI
Details

libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host.

libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.

When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials.

An application that first uses Negotiate authentication to a server with user1:password1 and then does another operation to the same server asking for any authentication method but for user2:password2 (while the previous connection is still alive) - the second request gets confused and wrongly reuses the same connection and sends the new request over that connection thinking it uses a mix of user1's and user2's credentials when it is in fact still using the connection authenticated for user1...

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5545"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-13T13:01:56Z",
    "severity": "MODERATE"
  },
  "details": "libcurl might in some circumstances reuse the wrong connection when asked to\ndo an authenticated HTTP(S) request after a Negotiate-authenticated one, when\nboth use the same host.\n\nlibcurl features a pool of recent connections so that subsequent requests can\nreuse an existing connection to avoid overhead.\n\nWhen reusing a connection a range of criteria must be met. Due to a logical\nerror in the code, a request that was issued by an application could\nwrongfully reuse an existing connection to the same server that was\nauthenticated using different credentials.\n\nAn application that first uses Negotiate authentication to a server with\n`user1:password1` and then does another operation to the same server asking\nfor any authentication method but for `user2:password2` (while the previous\nconnection is still alive) - the second request gets confused and wrongly\nreuses the same connection and sends the new request over that connection\nthinking it uses a mix of user1\u0027s and user2\u0027s credentials when it is in fact\nstill using the connection authenticated for user1...",
  "id": "GHSA-6g7g-56fm-f8mp",
  "modified": "2026-05-13T18:30:52Z",
  "published": "2026-05-13T18:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5545"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3642555"
    },
    {
      "type": "WEB",
      "url": "https://curl.se/docs/CVE-2026-5545.html"
    },
    {
      "type": "WEB",
      "url": "https://curl.se/docs/CVE-2026-5545.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6GRP-3634-PJFG

Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2025-04-20 03:36
VLAI
Details

An exploitable nonce reuse vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless AP running firmware 1.1. The device uses one nonce for all session authentication requests and only changes the nonce if the web application has been idle for 300 seconds.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-8712"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-13T19:59:00Z",
    "severity": "HIGH"
  },
  "details": "An exploitable nonce reuse vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless AP running firmware 1.1. The device uses one nonce for all session authentication requests and only changes the nonce if the web application has been idle for 300 seconds.",
  "id": "GHSA-6grp-3634-pjfg",
  "modified": "2025-04-20T03:36:05Z",
  "published": "2022-05-13T01:01:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8712"
    },
    {
      "type": "WEB",
      "url": "http://www.talosintelligence.com/reports/TALOS-2016-0225"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6J8J-4QP3-36P2

Vulnerability from github – Published: 2026-04-30 17:28 – Updated: 2026-05-08 21:47
VLAI
Summary
Weblate Doesn't Invalidate API Token on Password Change
Details

Impact

When a user changes their password, browser sessions are correctly invalidated via cycle_session_keys(), but DRF API tokens (wlu_* prefix) stored in authtoken_token are not revoked.

Patches

  • https://github.com/WeblateOrg/weblate/pull/19057

Resources

Weblate thanks Sang Yu Jeon for reporting this via GitHub.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "weblate"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.17.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41519"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-30T17:28:02Z",
    "nvd_published_at": "2026-05-07T15:16:07Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nWhen a user changes their password, browser sessions are correctly invalidated via `cycle_session_keys()`, but DRF API tokens (`wlu_*` prefix) stored in `authtoken_token` are not revoked.\n\n### Patches\n* https://github.com/WeblateOrg/weblate/pull/19057\n\n### Resources\nWeblate thanks Sang Yu Jeon for reporting this via GitHub.",
  "id": "GHSA-6j8j-4qp3-36p2",
  "modified": "2026-05-08T21:47:33Z",
  "published": "2026-04-30T17:28:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-6j8j-4qp3-36p2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41519"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WeblateOrg/weblate/pull/19057"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WeblateOrg/weblate/commit/649a2da81700542f95c0807b3c625fc3bb0eaf95"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WeblateOrg/weblate"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WeblateOrg/weblate/releases/tag/weblate-5.17.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Weblate Doesn\u0027t Invalidate API Token on Password Change"
}

GHSA-6M8P-X4QW-GH5J

Vulnerability from github – Published: 2021-06-09 17:34 – Updated: 2024-09-27 18:26
VLAI
Summary
Insufficient Session Expiration in OpenStack Keystone
Details

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keystone"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "15.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keystone"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0.0rc1"
            },
            {
              "fixed": "16.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-12690"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-25T21:08:40Z",
    "nvd_published_at": "2020-05-07T00:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.",
  "id": "GHSA-6m8p-x4qw-gh5j",
  "modified": "2024-09-27T18:26:15Z",
  "published": "2021-06-09T17:34:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12690"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/keystone/+bug/1873290"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-6m8p-x4qw-gh5j"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openstack/keystone"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2020-54.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/re4ffc55cd2f1b55a26e07c83b3c22c3fe4bae6054d000a57fb48d8c2@%3Ccommits.druid.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://security.openstack.org/ossa/OSSA-2020-005.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4480-1"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2020/05/06/6"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/05/07/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Insufficient Session Expiration in OpenStack Keystone"
}

GHSA-6PJP-QF2F-R5Q8

Vulnerability from github – Published: 2024-01-07 00:30 – Updated: 2024-01-07 00:30
VLAI
Details

A vulnerability, which was classified as problematic, was found in SourceCodester Engineers Online Portal 1.0. Affected is an unknown function of the file change_password_teacher.php of the component Password Change. The manipulation leads to session expiration. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249816.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0260"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-07T00:15:42Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability, which was classified as problematic, was found in SourceCodester Engineers Online Portal 1.0. Affected is an unknown function of the file change_password_teacher.php of the component Password Change. The manipulation leads to session expiration. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249816.",
  "id": "GHSA-6pjp-qf2f-r5q8",
  "modified": "2024-01-07T00:30:21Z",
  "published": "2024-01-07T00:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0260"
    },
    {
      "type": "WEB",
      "url": "https://mega.nz/file/yEsSwK6D#--ygVt0NtzhZdqVxvjaPLCYfnIeBSyf76KaRozOxfVo"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.249816"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.249816"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6RRR-78XP-5JP8

Vulnerability from github – Published: 2023-01-11 18:27 – Updated: 2023-01-24 18:55
VLAI
Summary
Zitadel RefreshToken invalidation vulnerability
Details

Impact

RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI.

RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant.

When the locked or deactivated user’s session was already terminated (“logged out”) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration).

Patches

2.x versions are fixed on >= 2.17.3 2.16.x versions are fixed on >= 2.16.4

ZITADEL recommends upgrading to the latest versions available in due course.

Workarounds

Ensure the RefreshTokenExpiration in the OIDC settings of your instance is set according to your security requirements.

References

https://zitadel.com/docs/guides/manage/console/instance-settings#oidc-token-lifetimes-and-expiration

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.17.0"
            },
            {
              "fixed": "2.17.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/zitadel/zitadel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.16.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-22492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-11T18:27:48Z",
    "nvd_published_at": "2023-01-11T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nRefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user\u0027s session without the need for interacting with a UI.\n\nRefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant.\n\nWhen the locked or deactivated user\u2019s session was already terminated (\u201clogged out\u201d) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration).\n\n### Patches\n2.x versions are fixed on \u003e= [2.17.3](https://github.com/zitadel/zitadel/releases/tag/v2.17.3)\n2.16.x versions are fixed on \u003e= [2.16.4](https://github.com/zitadel/zitadel/releases/tag/v2.16.4)\n\nZITADEL recommends upgrading to the latest versions available in due course.\n\n### Workarounds\nEnsure the RefreshTokenExpiration in the OIDC settings of your instance is set according to your security requirements.\n\n### References\n\nhttps://zitadel.com/docs/guides/manage/console/instance-settings#oidc-token-lifetimes-and-expiration\n",
  "id": "GHSA-6rrr-78xp-5jp8",
  "modified": "2023-01-24T18:55:45Z",
  "published": "2023-01-11T18:27:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rrr-78xp-5jp8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22492"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/commit/301e22c4956ead6014a8179463c37263f7301a83"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/commit/fc892c52a10cd4ffdac395747494f3a93a7494c2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zitadel/zitadel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.16.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zitadel/zitadel/releases/tag/v2.17.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Zitadel RefreshToken invalidation vulnerability"
}

GHSA-6WQW-2P9W-4VW4

Vulnerability from github – Published: 2026-01-27 19:04 – Updated: 2026-01-29 03:39
VLAI
Summary
Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception
Details

Summary

Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as Cache-Control: private or Cache-Control: no-store, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users.

Details

The vulnerability exists in the cache decision logic of Cache Middleware. When determining whether a response should be cached, the middleware does not take HTTP cache control semantics into account and may cache responses that are explicitly marked as private by the application. While some runtimes, such as Cloudflare Workers, enforce cache control restrictions at the platform level, other runtimes including Deno, Bun, and Node.js rely on the middleware’s behavior. As a result, applications running on these runtimes may unintentionally cache sensitive responses.

Impact

This issue can lead to Web Cache Deception and information disclosure. If an authenticated user accesses an endpoint that returns user-specific or sensitive data and the response is cached despite being marked as private, subsequent unauthenticated requests may receive the cached response. This may result in the exposure of personally identifiable information or session-related data. The impact is limited to applications that use the hono/cache middleware and rely on it to correctly honor HTTP cache control directives.

Affected Components

  • Cache Middleware
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "hono"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.11.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24472"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-524",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-27T19:04:17Z",
    "nvd_published_at": "2026-01-27T20:16:22Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nCache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as `Cache-Control: private` or `Cache-Control: no-store`, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users.\n\n## Details\n\nThe vulnerability exists in the cache decision logic of Cache Middleware. When determining whether a response should be cached, the middleware does not take HTTP cache control semantics into account and may cache responses that are explicitly marked as private by the application. While some runtimes, such as Cloudflare Workers, enforce cache control restrictions at the platform level, other runtimes including Deno, Bun, and Node.js rely on the middleware\u2019s behavior. As a result, applications running on these runtimes may unintentionally cache sensitive responses.\n\n## Impact\n\nThis issue can lead to Web Cache Deception and information disclosure. If an authenticated user accesses an endpoint that returns user-specific or sensitive data and the response is cached despite being marked as private, subsequent unauthenticated requests may receive the cached response. This may result in the exposure of personally identifiable information or session-related data. The impact is limited to applications that use the hono/cache middleware and rely on it to correctly honor HTTP cache control directives.\n\n## Affected Components\n\n* Cache Middleware",
  "id": "GHSA-6wqw-2p9w-4vw4",
  "modified": "2026-01-29T03:39:36Z",
  "published": "2026-01-27T19:04:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/honojs/hono/security/advisories/GHSA-6wqw-2p9w-4vw4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24472"
    },
    {
      "type": "WEB",
      "url": "https://github.com/honojs/hono/commit/12c511745b3f1e7a3f863a23ce5f921c7fa805d1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/honojs/hono"
    },
    {
      "type": "WEB",
      "url": "https://github.com/honojs/hono/releases/tag/v4.11.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Hono cache middleware ignores \"Cache-Control: private\" leading to Web Cache Deception"
}

GHSA-6WR7-FWXP-GG3V

Vulnerability from github – Published: 2023-04-05 09:30 – Updated: 2023-04-11 15:30
VLAI
Details

A vulnerability, which was classified as problematic, was found in SourceCodester Online Graduate Tracer System 1.0. Affected is an unknown function of the file admin/. The manipulation leads to session expiration. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-224994 is the identifier assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-1854"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-05T08:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability, which was classified as problematic, was found in SourceCodester Online Graduate Tracer System 1.0. Affected is an unknown function of the file admin/. The manipulation leads to session expiration. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-224994 is the identifier assigned to this vulnerability.",
  "id": "GHSA-6wr7-fwxp-gg3v",
  "modified": "2023-04-11T15:30:31Z",
  "published": "2023-04-05T09:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1854"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Jlan45/OGTSFCOIA/blob/main/unauthorizedaccess.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.224994"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.224994"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.