CWE-613— Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."— MITRE CWE catalog
531 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-613page 8 of 11
- CVE-2024-49825MEDIUMCVSS 6.3EG 6.32025-04-14
IBM Robotic Process Automation and Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.20 and 23.0.0 through 23.0.20 does not invalidate session after a logout which could allow an authenticated user to impersonate another user …
- CVE-2024-50562MEDIUMCVSS 4.8EG 4.82025-06-10
An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log …
- CVE-2024-52311MEDIUMCVSS 6.3EG 6.32024-11-09
Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired.
- CVE-2024-52553HIGHCVSS 8.8EG 8.82024-11-13
Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login.
- CVE-2024-55603MEDIUMCVSS 6.5EG 6.52024-12-19
Kanboard is project management software that focuses on the Kanban methodology. In affected versions sessions are still usable even though their lifetime has exceeded. Kanboard implements a cutom session handler (`app/Core/Session/SessionH…
- CVE-2024-56351MEDIUMCVSS 6.3EG 6.32024-12-20
In JetBrains TeamCity before 2024.12 access tokens were not revoked after removing user roles
- CVE-2024-56413MEDIUMCVSS 6.1EG 6.12025-01-02
Missing session invalidation after user deletion. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169.
- CVE-2024-57056MEDIUMCVSS 5.4EG 5.42025-02-18
Incorrect cookie session handling in WombatDialer before 25.02 results in the full session identity being written to system logs and could be used by a malicious attacker to impersonate an existing user session.
- CVE-2024-5995HIGHCVSS 8.8EG 8.82024-06-14
The notification emails sent by Soar Cloud HR Portal contain a link with a embedded session. The expiration of the session is not properly configured, remaining valid for more than 7 days and can be reused.
- CVE-2024-7998LOWCVSS 2.6EG 2.62024-08-21
In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan.
- CVE-2024-8888CRITICALCVSS 10.0EG 10.02024-09-18
An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have no expiration date to access the web application without restrictions. Token the…
- CVE-2025-0138LOWCVSS 2.0EG 2.02025-05-14
Web sessions in the web interface of Palo Alto Networks Prisma® Cloud Compute Edition do not expire when users are deleted, which makes Prisma Cloud Compute Edition susceptible to unauthorized access. Compute in Prisma Cloud Enterprise E…
- CVE-2025-10223MEDIUMCVSS 5.4EG 5.42025-09-10
Insufficient Session Expiration (CWE-613) in the Web Admin Panel in AxxonSoft Axxon One (C-Werk) prior to 2.0.3 on Windows allows a local or remote authenticated attacker to retain access with removed privileges via continued use of an une…
- CVE-2025-11429MEDIUMCVSS 5.4EG 5.42025-10-23
A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until th…
- CVE-2025-11699HIGHCVSS 7.1EG 7.12025-12-01
nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a a valid session cookie access to privileged endpoints (such as /admin) even after th…
- CVE-2025-1198MEDIUMCVSS 4.2EG 4.22025-02-13
An issue discovered in GitLab CE/EE affecting all versions from 16.11 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 meant that long-lived connections in ActionCable potentially allowed revoked Personal Access Tokens acces…
- CVE-2025-12110MEDIUMCVSS 5.4EG 5.42025-10-23
A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a …
- CVE-2025-12278MEDIUMCVSS 6.5EG 6.52025-10-26
Logout Functionality not Working.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
- CVE-2025-12624MEDIUMCVSS 6.0EG 6.02026-04-16
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protect…
- CVE-2025-15552HIGHCVSS 7.8EG 7.82026-03-16
Insufficient Session Expiration in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin password.
- CVE-2025-15553HIGHCVSS 7.1EG 7.12026-03-16
Non-working logout functionality in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin password.
- CVE-2025-1968HIGHCVSS 7.7EG 7.72025-04-09
Insufficient Session Expiration vulnerability in Progress Software Corporation Sitefinity under some specific and uncommon circumstances allows reusing Session IDs (Session Replay Attacks).This issue affects Sitefinity: from 14.0 through 1…
- CVE-2025-2185HIGHCVSS 8.0EG 8.02025-04-25
ALBEDO Telecom Net.Time - PTP/NTP clock (Serial No. NBC0081P) software release 1.4.4 is vulnerable to an insufficient session expiration vulnerability, which could permit an attacker to transmit passwords over unencrypted connections, re…
- CVE-2025-22386HIGHCVSS 7.3EG 7.32025-01-04
An issue was discovered in Optimizely Configured Commerce before 5.2.2408. A medium-severity session issue exists in the Commerce B2B application, affecting the longevity of active sessions in the storefront. This allows session tokens tie…
- CVE-2025-23419MEDIUMCVSS 4.3EG 4.32025-02-05
When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session…
- CVE-2025-24859HIGHCVSS 8.8EG 8.82025-04-14
A session management vulnerability exists in Apache Roller before version 6.1.5 where active user sessions are not properly invalidated after password changes. When a user's password is changed, either by the user themselves or by an admin…
- CVE-2025-24896HIGHCVSS 8.1EG 8.12025-02-11
Misskey is an open source, federated social media platform. Starting in version 12.109.0 and prior to version 2025.2.0-alpha.0, a login token named `token` is stored in a cookie for authentication purposes in Bull Dashboard, but this remai…
- CVE-2025-24973CRITICALCVSS 9.3EG 9.32025-02-11
Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Prior to version 12.25Q1.1, due to an improper implementation of the logout process, authentication credentials remain in cookies even after a us…
- CVE-2025-25019MEDIUMCVSS 4.8EG 4.82025-06-03
IBM QRadar Suite Software 1.10.12.0 through 1.11.2.0 and IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 does not invalidate session after a logout which could allow a user to impersonate another user on the system.
- CVE-2025-25252MEDIUMCVSS 4.8EG 4.82025-10-14
An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL VPN 7.6.0 through 7.6.2, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16, 6.4 all versions may allow a remote attacker (e.g. a former admin whose acc…
- CVE-2025-2596MEDIUMCVSS 5.3EG 5.32025-03-26
Session logout could be overwritten in Checkmk GmbH's Checkmk versions <2.3.0p30, <2.2.0p41, and 2.1.0p49 (EOL)
- CVE-2025-27898MEDIUMCVSS 6.3EG 6.32026-02-17
IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 does not invalidate session after a timeout which could allow an authenticated user to impersonate another user on the system.
- CVE-2025-28059HIGHCVSS 7.5EG 7.52025-04-18
An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, th…
- CVE-2025-28132MEDIUMCVSS 4.6EG 4.62025-04-01
A session management flaw in Nagios Network Analyzer 2024R1.0.3 allows an attacker to reuse session tokens even after a user logs out, leading to unauthorized access and account takeover. This occurs due to insufficient session expiration,…
- CVE-2025-30516LOWCVSS 2.0EG 2.02025-04-14
Mattermost Mobile Apps versions <=2.25.0 fail to terminate sessions during logout under certain conditions (e.g. poor connectivity), allowing unauthorized users on shared devices to access sensitive notification content via continued mob…
- CVE-2025-31952HIGHCVSS 7.1EG 7.12025-07-24
HCL iAutomate is affected by an insufficient session expiration. This allows tokens to remain valid indefinitely unless manually revoked, increasing the risk of unauthorized access.
- CVE-2025-31962LOWCVSS 2.0EG 2.02026-01-07
Insufficient session expiration in the Web UI authentication component in HCL BigFix IVR version 4.2 allows an authenticated attacker to gain prolonged unauthorized access to protected API endpoints due to excessive expiration periods.
- CVE-2025-32441MEDIUMCVSS 4.2EG 4.22025-05-07
Rack is a modular Ruby web server interface. Prior to version 2.2.14, when using the `Rack::Session::Pool` middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that sess…
- CVE-2025-33005MEDIUMCVSS 6.3EG 6.32025-06-01
IBM Planning Analytics Local 2.0 and 2.1 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system.
- CVE-2025-35433MEDIUMCVSS 5.0EG 5.02025-09-17
CISA Thorium does not properly invalidate previously used tokens when resetting passwords. An attacker that possesses a previously used token could still log in after a password reset. Fixed in 1.1.1.
- CVE-2025-36040MEDIUMCVSS 6.5EG 6.52025-07-31
IBM Aspera Faspex 5.0.0 through 5.0.12.1 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms.
- CVE-2025-36063MEDIUMCVSS 6.3EG 6.32026-01-20
IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system.
- CVE-2025-36065MEDIUMCVSS 6.3EG 6.32026-01-20
IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a browser closure which could allow an authenticated user to impersonate another user on the system.
- CVE-2025-36359MEDIUMCVSS 6.5EG 8.12026-06-30
IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration which could allow an authenticated user to impersonate another user on the system.
- CVE-2025-36360MEDIUMCVSS 5.0EG 5.02025-12-15
IBM UCD - IBM UrbanCode Deploy 7.1 through 7.1.2.27, 7.2 through 7.2.3.20, and 7.3 through 7.3.2.15 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.10, and 8.1 through 8.1.2.3 is susceptible to a race condition in http-session client-IP …
- CVE-2025-3930MEDIUMCVSS 6.3EG 6.32025-10-16
Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date (which is…
- CVE-2025-40566HIGHCVSS 8.8EG 8.82025-05-13
A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions < V4.1 Update 3), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1). Affected products do not correctly invalidate user sessions upon user logout. This could allow…
- CVE-2025-42602HIGHCVSS 8.2EG 8.22025-04-23
This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints of authentication process. A remote attacker could exploit this vulnerability by intercepting and manipulating t…
- CVE-2025-43819MEDIUMCVSS 6.5EG 6.52025-09-24
A Insufficient Session Expiration vulnerability in the Liferay Portal 7.4.3.121 through 7.3.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.3, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.12 is…
- CVE-2025-4407MEDIUMCVSS 6.7EG 6.72025-06-30
Insufficient Session Expiration vulnerability in ABB Lite Panel Pro.This issue affects Lite Panel Pro: through 1.0.1.
Map vulnerabilities like CWE-613 to your infrastructure
EchelonGraph correlates every CVE — across CWE-613 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →