CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
876 vulnerabilities reference this CWE, most recent first.
GHSA-7XWP-2CPP-P8R7
Vulnerability from github – Published: 2025-07-16 14:09 – Updated: 2025-07-29 23:17Summary
File Browser’s authentication system issues long-lived JWT tokens that remain valid even after the user logs out. Please refer to the CWE's listed in this report for further reference and system standards. In summary, the main issue is:
- Tokens remain valid after logout (session replay attacks)
In this report, I used docker as the documentation instruct:
docker run \
-v filebrowser_data:/srv \
-v filebrowser_database:/database \
-v filebrowser_config:/config \
-p 8080:80 \
filebrowser/filebrowser
Details
Issue: Tokens remain valid after logout (session replay attacks)
After logging in and receiving a JWT token, the user can explicitly "log out." However, this action does not invalidate the issued JWT. Any captured token can be replayed post-logout until it expires naturally. The backend does not track active sessions or invalidate existing tokens on logout. Login request:
POST /api/login HTTP/1.1
Host: machine.local:8090
Content-Length: 69
{"username":"admin","password":"password-here","recaptcha":""}
The check found in the code https://github.com/filebrowser/filebrowser/blob/master/http/auth.go is not enough. There is no server-side blacklist or token invalidation on logout. Token renewal and validity only depends on expiry and user store timestamps:
expired := !tk.VerifyExpiresAt(time.Now().Add(time.Hour), true)
updated := tk.IssuedAt != nil && tk.IssuedAt.Unix() < d.store.Users.LastUpdate(tk.User.ID)
PoC
Issue: Tokens remain valid after logout (session replay attacks)
- Login and capture the generate JWT. Eg. the http request:
POST /api/login HTTP/1.1
Host: machine.local:8090
Content-Length: 69
{"username":"admin","password":"password-here","recaptcha":""}
- Logout in the dashboard. And then try to use the old generated JWT to access any authenticated endpoint eg:
GET /api/resources HTTP/1.1
Host: machine.local:8090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
X-Auth: Old-JWT-token-here
Content-Length: 173
Accept: */*
Referer: http://machine.local:8090/files/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Content-Length: 26
Connection: keep-alive
Impact
- A valid JWT remains active after user logout.
- If stolen, tokens persist access indefinitely until expiry.
- Violates OWASP Top 10 A2:2021 - Broken Authentication.
Recommendations
- Read all CWE's attached in this report
- Invalidate JWTs on logout via session store / token blacklist.
- Reduce JWT ExpiresAt where possible or use short-lived + refresh tokens.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/filebrowser/filebrowser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.39.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/filebrowser/filebrowser/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.39.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53826"
],
"database_specific": {
"cwe_ids": [
"CWE-305",
"CWE-384",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-16T14:09:28Z",
"nvd_published_at": "2025-07-15T18:15:24Z",
"severity": "HIGH"
},
"details": "### Summary\n\nFile Browser\u2019s authentication system issues long-lived JWT tokens that remain valid even after the user logs out. Please refer to the CWE\u0027s listed in this report for further reference and system standards. In summary, the main issue is:\n\n- Tokens remain valid after logout (session replay attacks)\n\nIn this report, I used docker as the documentation instruct:\n\n```\ndocker run \\\n -v filebrowser_data:/srv \\\n -v filebrowser_database:/database \\\n -v filebrowser_config:/config \\\n -p 8080:80 \\\n filebrowser/filebrowser\n```\n\n### Details\n\n**Issue: Tokens remain valid after logout (session replay attacks)**\n\nAfter logging in and receiving a JWT token, the user can explicitly \"log out.\" However, this action does not invalidate the issued JWT. Any captured token can be replayed post-logout until it expires naturally. The backend does not track active sessions or invalidate existing tokens on logout. Login request:\n\n```\nPOST /api/login HTTP/1.1\nHost: machine.local:8090\nContent-Length: 69\n\n{\"username\":\"admin\",\"password\":\"password-here\",\"recaptcha\":\"\"}\n```\n\nThe check found in the code `https://github.com/filebrowser/filebrowser/blob/master/http/auth.go` is not enough. There is no server-side blacklist or token invalidation on logout. Token renewal and validity only depends on expiry and user store timestamps:\n\n```\nexpired := !tk.VerifyExpiresAt(time.Now().Add(time.Hour), true)\nupdated := tk.IssuedAt != nil \u0026\u0026 tk.IssuedAt.Unix() \u003c d.store.Users.LastUpdate(tk.User.ID)\n```\n\n### PoC\n\n**Issue: Tokens remain valid after logout (session replay attacks)**\n\n- Login and capture the generate JWT. Eg. the http request:\n\n```\nPOST /api/login HTTP/1.1\nHost: machine.local:8090\nContent-Length: 69\n\n{\"username\":\"admin\",\"password\":\"password-here\",\"recaptcha\":\"\"}\n```\n\n- Logout in the dashboard. And then try to use the old generated JWT to access any authenticated endpoint eg:\n\n```\nGET /api/resources HTTP/1.1\nHost: machine.local:8090\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36\nX-Auth: Old-JWT-token-here\nContent-Length: 173\nAccept: */*\nReferer: http://machine.local:8090/files/\nAccept-Encoding: gzip, deflate, br\nAccept-Language: en-US,en;q=0.9\nContent-Length: 26\n\nConnection: keep-alive\n```\n\n### Impact\n\n- A valid JWT remains active after user logout.\n- If stolen, tokens persist access indefinitely until expiry.\n- Violates OWASP Top 10 A2:2021 - Broken Authentication.\n\n### Recommendations\n\n- Read all CWE\u0027s attached in this report\n- Invalidate JWTs on logout via session store / token blacklist.\n- Reduce JWT ExpiresAt where possible or use short-lived + refresh tokens.",
"id": "GHSA-7xwp-2cpp-p8r7",
"modified": "2025-07-29T23:17:56Z",
"published": "2025-07-16T14:09:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7xwp-2cpp-p8r7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53826"
},
{
"type": "WEB",
"url": "https://github.com/filebrowser/filebrowser/issues/5216"
},
{
"type": "PACKAGE",
"url": "https://github.com/filebrowser/filebrowser"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "File Browser\u2019s insecure JWT handling can lead to session replay attacks after logout"
}
GHSA-83MW-HRR9-5QQ8
Vulnerability from github – Published: 2025-04-02 15:31 – Updated: 2025-04-02 15:31IBM Jazz Reporting Service 7.0.2 and 7.0.3 does not invalidate session after logout which could allow an authenticated privileged user to impersonate another user on the system.
{
"affected": [],
"aliases": [
"CVE-2024-25051"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-02T15:15:56Z",
"severity": "MODERATE"
},
"details": "IBM Jazz Reporting Service 7.0.2 and 7.0.3 does not invalidate session after logout which could allow an authenticated privileged user to impersonate another user on the system.",
"id": "GHSA-83mw-hrr9-5qq8",
"modified": "2025-04-02T15:31:37Z",
"published": "2025-04-02T15:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25051"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7229760"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-84XH-PWC6-7G4G
Vulnerability from github – Published: 2025-02-05 18:34 – Updated: 2026-01-27 15:30When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2025-23419"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-613",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-05T18:15:33Z",
"severity": "MODERATE"
},
"details": "When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication.\u00a0\u00a0\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-84xh-pwc6-7g4g",
"modified": "2026-01-27T15:30:26Z",
"published": "2025-02-05T18:34:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23419"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00017.html"
},
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K000149173"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/02/05/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-857Q-PWW2-XGV7
Vulnerability from github – Published: 2026-01-23 00:31 – Updated: 2026-01-23 00:31This vulnerability occurs when the system permits multiple simultaneous connections to the backend using the same charging station ID. This can result in unauthorized access, data inconsistency, or potential manipulation of charging sessions. The lack of proper session management and expiration control allows attackers to exploit this weakness by reusing valid charging station IDs to establish multiple sessions concurrently.
{
"affected": [],
"aliases": [
"CVE-2025-55705"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-22T23:15:50Z",
"severity": "HIGH"
},
"details": "This vulnerability occurs when the system permits multiple simultaneous \nconnections to the backend using the same charging station ID. This can \nresult in unauthorized access, data inconsistency, or potential \nmanipulation of charging sessions. The lack of proper session management\n and expiration control allows attackers to exploit this weakness by \nreusing valid charging station IDs to establish multiple sessions \nconcurrently.",
"id": "GHSA-857q-pww2-xgv7",
"modified": "2026-01-23T00:31:17Z",
"published": "2026-01-23T00:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55705"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-85R2-J732-H557
Vulnerability from github – Published: 2026-06-30 21:31 – Updated: 2026-06-30 21:31IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration which could allow an authenticated user to impersonate another user on the system.
{
"affected": [],
"aliases": [
"CVE-2025-36359"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T21:16:30Z",
"severity": "HIGH"
},
"details": "IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration which could allow an authenticated user to impersonate another user on the system.",
"id": "GHSA-85r2-j732-h557",
"modified": "2026-06-30T21:31:45Z",
"published": "2026-06-30T21:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36359"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7277970"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-8863-4QMG-FR45
Vulnerability from github – Published: 2025-01-08 09:30 – Updated: 2025-01-08 16:14Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider.
This issue affects Apache Airflow Fab Provider: before 1.5.2.
When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expiration, thus logged users could continue to be logged in even after the password was changed. This only happened when the password was changed with CLI. The problem does not happen in case change was done with webserver thus this is different from CVE-2023-40273 which was addressed in Apache-Airflow 2.7.0
Users are recommended to upgrade to version 1.5.2, which fixes the issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow-providers-fab"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45033"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2025-01-08T16:14:43Z",
"nvd_published_at": "2025-01-08T09:15:07Z",
"severity": "LOW"
},
"details": "Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider.\n\nThis issue affects Apache Airflow Fab Provider: before 1.5.2.\n\nWhen user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session expiration, thus logged users could continue to be logged in even after the password was changed. This only happened when the password was changed with CLI. The problem does not happen in case change was done with webserver thus this is different from\u00a0[CVE-2023-40273](https://github.com/advisories/GHSA-pm87-24wq-r8w9)\u00a0which was addressed in Apache-Airflow 2.7.0\n\n\nUsers are recommended to upgrade to version 1.5.2, which fixes the issue.",
"id": "GHSA-8863-4qmg-fr45",
"modified": "2025-01-08T16:14:43Z",
"published": "2025-01-08T09:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45033"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/45139"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/yw535346rk766ybzpqtvrl36sjj789st"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache Airflow Fab Provider Insufficient Session Expiration vulnerability"
}
GHSA-895X-RFQP-JH5C
Vulnerability from github – Published: 2025-10-23 15:30 – Updated: 2026-02-17 17:21A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.keycloak:keycloak-services"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "26.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-12110"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-23T19:24:54Z",
"nvd_published_at": "2025-10-23T15:15:32Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.",
"id": "GHSA-895x-rfqp-jh5c",
"modified": "2026-02-17T17:21:35Z",
"published": "2025-10-23T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12110"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/pull/43790"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/54e1c8af1e089ad33d32e0f2792610e4b8df421b"
},
{
"type": "WEB",
"url": "https://github.com/keycloak/keycloak/commit/c830a27928cac4294619af7d147bdff34d4a85e7"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:21370"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:21371"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22088"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:22089"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-12110"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2406033"
},
{
"type": "PACKAGE",
"url": "https://github.com/keycloak/keycloak"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Keycloak does not invalidate offline sessions when the offline_access scope is removed"
}
GHSA-89HR-6X2P-8XJV
Vulnerability from github – Published: 2026-03-31 15:31 – Updated: 2026-03-31 23:51Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-2pr2-hcv6-7gwv. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.28"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-31T23:51:46Z",
"nvd_published_at": "2026-03-31T15:16:19Z",
"severity": "HIGH"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-2pr2-hcv6-7gwv. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.",
"id": "GHSA-89hr-6x2p-8xjv",
"modified": "2026-03-31T23:51:46Z",
"published": "2026-03-31T15:31:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2pr2-hcv6-7gwv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34503"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/7a801cc451e9e667b705eeccff651923a1b8c863"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-incomplete-websocket-session-termination-on-device-removal-and-token-revocation"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: OpenClaw\u0027s device removal and token revocation do not terminate active WebSocket sessions",
"withdrawn": "2026-03-31T23:51:46Z"
}
GHSA-8C39-XPPG-479C
Vulnerability from github – Published: 2026-01-06 17:18 – Updated: 2026-01-06 17:18Summary
Pterodactyl does not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked.
Details
When a user opens a connection to a server using the Wings SFTP server instance the permissions are checked and returned from the authentication API call made to the Panel. However, credentials are not checked again after the initial handshake. Thus, if a user is removed from a server in the panel or have their permissions modified, those permissions are not updated in the SFTP connection.
As a result, a user that has already gained access to a server's files via the SFTP subsystem will maintain those permissions until disconnected (via Wings restart, or a manual disconnection on their end).
[!NOTE]
This issue impacts the SFTP subsystem for server files specifically. There is no exposure of Wings private data, or any data outside of a server's local filesystem. Additionally, a user must have been connected to SFTP at the time of their permissions being revoked in order for this issue to be exploited. If a user was not connected, they would not be able to connect once their permissions were reduced.
Fix
Please upgrade to wings@1.12.0 and panel@1.12.0 to resolve this issue. Patches are available via the implementation PRs, but it is recommended to apply by upgrading the entire instance.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pterodactyl/panel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/pterodactyl/wings"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68954"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-06T17:18:56Z",
"nvd_published_at": "2026-01-06T01:16:01Z",
"severity": "HIGH"
},
"details": "### Summary\nPterodactyl does not revoke _active_ SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked.\n\n### Details\nWhen a user opens a connection to a server using the Wings SFTP server instance the permissions are checked and returned from the authentication API call made to the Panel. However, credentials are not checked again after the initial handshake. Thus, if a user is removed from a server in the panel or have their permissions modified, those permissions are not updated in the SFTP connection.\n\nAs a result, a user that has already gained access to a server\u0027s files via the SFTP subsystem will maintain those permissions until disconnected (via Wings restart, or a manual disconnection on their end).\n\n\u003e [!NOTE]\n\u003e\n\u003e This issue impacts the SFTP subsystem for server files specifically. There is no exposure of Wings private data, or any data outside of a server\u0027s local filesystem. Additionally, a user must have been _connected to SFTP at the time of their permissions being revoked_ in order for this issue to be exploited. If a user was not connected, they would not be able to connect once their permissions were reduced.\n\n### Fix\nPlease upgrade to `wings@1.12.0` and `panel@1.12.0` to resolve this issue. Patches are available via the implementation PRs, but it is recommended to apply by upgrading the entire instance.",
"id": "GHSA-8c39-xppg-479c",
"modified": "2026-01-06T17:18:56Z",
"published": "2026-01-06T17:18:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-8c39-xppg-479c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68954"
},
{
"type": "WEB",
"url": "https://github.com/pterodactyl/panel/commit/2bd9d8baddb0e0606e4a9d5be402f48678ac88d5"
},
{
"type": "PACKAGE",
"url": "https://github.com/pterodactyl/panel"
},
{
"type": "WEB",
"url": "https://github.com/pterodactyl/panel/releases/tag/v1.12.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced"
}
GHSA-8CV6-H2PR-548G
Vulnerability from github – Published: 2024-03-06 18:30 – Updated: 2024-03-06 18:30A vulnerability in Cisco Duo Authentication for Windows Logon and RDP could allow an authenticated, physical attacker to bypass secondary authentication and access an affected Windows device.
This vulnerability is due to a failure to invalidate locally created trusted sessions after a reboot of the affected device. An attacker with primary user credentials could exploit this vulnerability by attempting to authenticate to an affected device. A successful exploit could allow the attacker to access the affected device without valid permissions.
{
"affected": [],
"aliases": [
"CVE-2024-20301"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-06T17:15:08Z",
"severity": "MODERATE"
},
"details": "A vulnerability in Cisco Duo Authentication for Windows Logon and RDP could allow an authenticated, physical attacker to bypass secondary authentication and access an affected Windows device. \n\n This vulnerability is due to a failure to invalidate locally created trusted sessions after a reboot of the affected device. An attacker with primary user credentials could exploit this vulnerability by attempting to authenticate to an affected device. A successful exploit could allow the attacker to access the affected device without valid permissions.",
"id": "GHSA-8cv6-h2pr-548g",
"modified": "2024-03-06T18:30:37Z",
"published": "2024-03-06T18:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20301"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-duo-win-bypass-pn42KKBm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.