CWE-613— Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."— MITRE CWE catalog
531 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-613page 10 of 11
- CVE-2026-0971MEDIUMCVSS 4.3EG 4.32026-04-21
An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page.
- CVE-2026-1163MEDIUMCVSS 4.1EG 4.12026-04-08
An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This…
- CVE-2026-1190LOWCVSS 3.1EG 3.12026-01-26
A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationDat…
- CVE-2026-1272LOWCVSS 2.7EG 2.72026-04-23
IBM Guardium Data Protection 12.0, 12.1, and 12.2 is vulnerable to Security Misconfiguration vulnerability in the user access control panel.
- CVE-2026-12772MEDIUMCVSS 6.3EG 6.32026-06-21
A security flaw has been discovered in BerriAI litellm up to 1.82.2. This impacts the function authenticate_user of the file litellm/proxy/auth/login_utils.py of the component PROXY_ADMIN database API Key Generator. Performing a manipulati…
- CVE-2026-12796MEDIUMCVSS 6.3EG 6.32026-06-21
A vulnerability was identified in BerriAI litellm up to 1.82.2. This impacts the function get_redirect_response_from_openid of the file litellm/proxy/management_endpoints/ui_sso.py of the component SSO Authentication Flow. The manipulation…
- CVE-2026-14725MEDIUMCVSS 6.3EG 6.32026-07-05
A vulnerability was identified in SourceCodester Online Boat Reservation System 1.0. Affected by this vulnerability is an unknown functionality. Such manipulation leads to session expiration. It is possible to launch the attack remotely. T…
- CVE-2026-1815MEDIUMCVSS 5.7EG 5.72026-05-21
Insufficient session expiration vulnerability in Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application allows Session Hijacking. This issue affects Mobile Application: from 1.6.2 before 1.13.
- CVE-2026-1842NONECVSS 0.0EG 6.22026-02-20
HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a signifi…
- CVE-2026-20748HIGHCVSS 7.3EG 7.32026-03-06
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables s…
- CVE-2026-22706MEDIUMCVSS 6.5EG 6.52026-05-14
Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the user's existing refresh-token sessions by default. The refresh-token invalidati…
- CVE-2026-24472MEDIUMCVSS 5.3EG 5.32026-01-27
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. …
- CVE-2026-24667MEDIUMCVSS 5.0EG 5.02026-02-03
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, failure to invalidate active user sessions after a password change allows existing session tokens to remain valid, pote…
- CVE-2026-24669HIGHCVSS 7.8EG 7.82026-02-03
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an insecure password reset mechanism allows local attackers to reuse a valid password reset token after it has already …
- CVE-2026-24894HIGHCVSS 7.5EG 7.52026-02-12
FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to…
- CVE-2026-24912HIGHCVSS 7.3EG 7.32026-03-06
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables s…
- CVE-2026-25720MEDIUMCVSS 5.4EG 5.42026-04-24
A vulnerability exists in SenseLive X3050’s web management interface due to improper session lifetime enforcement, allowing authenticated sessions to remain active for extended periods without requiring re-authentication. An attacker w…
- CVE-2026-27649HIGHCVSS 7.3EG 7.32026-03-20
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables …
- CVE-2026-27764HIGHCVSS 7.3EG 7.32026-03-06
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables s…
- CVE-2026-28564CRITICALCVSS 9.8EG 0.02026-07-10
Insufficient Session Expiration, Authentication Bypass by Capture-replay vulnerability in Apache IoTDB. REST Basic Authentication Accepts Stale Cached Credentials This issue affects Apache IoTDB: from 1.0.0 before 2.0.10. Users are reco…
- CVE-2026-32663HIGHCVSS 7.3EG 7.32026-03-20
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables s…
- CVE-2026-3401LOWCVSS 3.1EG 3.12026-03-02
A weakness has been identified in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown part. This manipulation causes session expiration. Remote exploitation of the attack is possible. The complexity of …
- CVE-2026-34454LOWCVSS 3.5EG 3.52026-04-14
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the …
- CVE-2026-34503HIGHCVSS 8.1EG 8.12026-03-31
OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconne…
- CVE-2026-34570HIGHCVSS 8.8EG 8.82026-04-01
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when …
- CVE-2026-34572HIGHCVSS 8.8EG 8.82026-04-01
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when …
- CVE-2026-34828HIGHCVSS 7.1EG 7.12026-04-02
listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, a session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive acco…
- CVE-2026-35462MEDIUMCVSS 4.3EG 4.32026-04-07
Papra is a minimalistic document management and archiving platform. Prior to 26.4.0, API keys with an expiresAt date are never validated against the current time during authentication. Any API key — regardless of its expiration date — …
- CVE-2026-35594MEDIUMCVSS 6.5EG 6.52026-04-10
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization objects entirely from JWT claims without an…
- CVE-2026-40587MEDIUMCVSS 6.5EG 6.52026-04-21
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a user changes their password via the profile edit page, or when a password reset is completed via the reset link, neither operation invalidates existing authenti…
- CVE-2026-40934MEDIUMCVSS 6.8EG 6.82026-05-05
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never r…
- CVE-2026-40939MEDIUMCVSS 6.8EG 6.82026-04-21
The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely…
- CVE-2026-41133HIGHCVSS 8.8EG 8.82026-04-22
pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after…
- CVE-2026-41356MEDIUMCVSS 5.4EG 5.42026-04-23
OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token rotat…
- CVE-2026-41519MEDIUMCVSS 4.2EG 4.22026-05-07
Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cycle_session_keys()", but DRF API tokens ("wlu_*" prefix) stored in "authtoken_token" a…
- CVE-2026-41891MEDIUMCVSS 5.3EG 5.32026-05-07
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0 to before version 0.31.8.0, the auth filter has the deactivated/banned user c…
- CVE-2026-41902CRITICALCVSS 9.1EG 9.12026-05-07
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/{hash} endpoint accepts a 60-character random invite_hash to set a new user's password. The endpoint performs no e…
- CVE-2026-41916MEDIUMCVSS 5.4EG 5.42026-04-28
OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, all…
- CVE-2026-42172LOWCVSS 3.1EG 3.12026-07-07
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Sanctum API tokens did not expire, allowing a leaked token to retain access indefinitely until manually revoked. T…
- CVE-2026-42421MEDIUMCVSS 5.4EG 5.42026-04-28
OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by explo…
- CVE-2026-43911MEDIUMCVSS 6.8EG 6.82026-05-11
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's security_stamp is rotated by some security-sensitive operations (password change, KDF change, key rotation, e…
- CVE-2026-43918HIGHCVSS 8.7EG 8.72026-07-06
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, when a client or staff/admin account is suspended or marked inactive, existing authenticated sessions are not invalidated. The session identit…
- CVE-2026-43983HIGHCVSS 8.1EG 8.12026-05-12
Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function (oidc_service.go) validates the refresh token's cryptographic integrity but does…
- CVE-2026-44188MEDIUMCVSS 5.3EG 5.32026-06-15
A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth (Op…
- CVE-2026-44383HIGHCVSS 7.5EG 7.52026-07-10
Multiple connections to the backend using the same charging station ID are allowed, which could allow an attacker to deploy multiple instances of malicious OCPP clients to overwhelm the backend.
- CVE-2026-44511HIGHCVSS 7.4EG 7.42026-05-14
Katalyst Koi is a framework for building Rails admin functionality. Prior to 4.20.0 and 5.6.0, admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue…
- CVE-2026-44553HIGHCVSS 8.1EG 8.12026-05-15
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, administrative role changes and user deletions do not iterate SESSION_POOL to disconnect affected sessions. As a result, a u…
- CVE-2026-44648HIGHCVSS 7.5EG 7.52026-05-29
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern relies on cookie-session fo…
- CVE-2026-44873MEDIUMCVSS 5.4EG 5.42026-05-12
A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling con…
- CVE-2026-45757LOWCVSS 2.3EG 2.32026-06-24
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using alre…
Map vulnerabilities like CWE-613 to your infrastructure
EchelonGraph correlates every CVE — across CWE-613 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →