CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
876 vulnerabilities reference this CWE, most recent first.
GHSA-Q929-G23J-2RC7
Vulnerability from github – Published: 2026-06-25 18:30 – Updated: 2026-06-26 09:30A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client's secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise.
{
"affected": [],
"aliases": [
"CVE-2026-9705"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T17:17:03Z",
"severity": "MODERATE"
},
"details": "A flaw was found in Keycloak\u0027s client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client\u0027s secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise.",
"id": "GHSA-q929-g23j-2rc7",
"modified": "2026-06-26T09:30:46Z",
"published": "2026-06-25T18:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9705"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30084"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-9705"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481878"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q95V-68H8-44X6
Vulnerability from github – Published: 2023-10-29 03:30 – Updated: 2023-10-29 03:30Insufficient Session Expiration in GitHub repository linkstackorg/linkstack prior to v4.2.9.
{
"affected": [],
"aliases": [
"CVE-2023-5838"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-29T01:15:41Z",
"severity": "MODERATE"
},
"details": "Insufficient Session Expiration in GitHub repository linkstackorg/linkstack prior to v4.2.9.",
"id": "GHSA-q95v-68h8-44x6",
"modified": "2023-10-29T03:30:30Z",
"published": "2023-10-29T03:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5838"
},
{
"type": "WEB",
"url": "https://github.com/linkstackorg/linkstack/commit/02f620092255f07e1d0252a0190fd42ef773ba05"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/8f6feca3-386d-4897-801c-39b9e3e5eb03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-QC92-5V9V-HH5W
Vulnerability from github – Published: 2026-02-27 00:31 – Updated: 2026-03-05 21:30The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
{
"affected": [],
"aliases": [
"CVE-2026-25711"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-27T00:16:57Z",
"severity": "HIGH"
},
"details": "The WebSocket backend uses charging station identifiers to uniquely \nassociate sessions but allows multiple endpoints to connect using the \nsame session identifier. This implementation results in predictable \nsession identifiers and enables session hijacking or shadowing, where \nthe most recent connection displaces the legitimate charging station and\n receives backend commands intended for that station. This vulnerability\n may allow unauthorized users to authenticate as other users or enable a\n malicious actor to cause a denial-of-service condition by overwhelming \nthe backend with valid session requests.",
"id": "GHSA-qc92-5v9v-hh5w",
"modified": "2026-03-05T21:30:27Z",
"published": "2026-02-27T00:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25711"
},
{
"type": "WEB",
"url": "https://chargemap.com/en-us/support"
},
{
"type": "WEB",
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-05.json"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QHMC-3MVR-F2J4
Vulnerability from github – Published: 2025-12-15 15:30 – Updated: 2026-06-05 14:34An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "django-allauth"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "65.13.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-65430"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-16T19:33:33Z",
"nvd_published_at": "2025-12-15T14:15:57Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected.",
"id": "GHSA-qhmc-3mvr-f2j4",
"modified": "2026-06-05T14:34:45Z",
"published": "2025-12-15T15:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65430"
},
{
"type": "WEB",
"url": "https://github.com/pennersr/django-allauth/commit/39f4a4ce9c891795b00914ca5ec32de72d5369c0"
},
{
"type": "WEB",
"url": "https://github.com/pennersr/django-allauth/commit/c54edf947c5a1c8c4ff3cddb75c86000ecb2507d"
},
{
"type": "WEB",
"url": "https://allauth.org/news/2025/10/django-allauth-65.13.0-released"
},
{
"type": "PACKAGE",
"url": "https://codeberg.org/allauth/django-allauth"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-allauth/PYSEC-2025-110.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "django-allauth does not reject access tokens for inactive users"
}
GHSA-QPPM-G56G-FPVP
Vulnerability from github – Published: 2026-01-20 18:58 – Updated: 2026-01-21 21:11Summary
A race condition in Turbo Frames allows delayed HTTP responses to restore stale session cookies after session-modifying operations.
Details
Browsers automatically process Set-Cookie headers from HTTP responses. When a Turbo Frame request is in-flight during a session-modifying action (such as logout), the delayed response may include a Set-Cookie header reflecting the session state at request time. This can result in stale session cookies being restored after the session was intentionally modified or invalidated.
This condition can occur naturally on slow networks. An active network attacker capable of delaying responses could potentially exploit this to restore previous session state.
### Impact Applications using Turbo Frames with cookie-based session storage may experience: - Session state reversion after logout - Unintended restoration of previous authentication state
The impact is limited to applications using client-side cookie storage for sessions. Applications using server-side session stores (Redis, database, etc.) are not meaningfully affected, as the server-side session state remains authoritative.
Patches
Upgrade to Turbo 8.0.21 or later. The fix cancels in-flight Turbo Frame requests when: - The frame element is disconnected from the DOM - The frame's disabled attribute is set - The frame's src attribute is cleared
Workarounds
- Use server-side session storage instead of a cookie store like Rails's cookie store
- Ensure logout flows remove or disable Turbo Frame elements before invalidating sessions
References
- https://github.com/hotwired/turbo/pull/1399
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.0.20"
},
"package": {
"ecosystem": "npm",
"name": "@hotwired/turbo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.0.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66803"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-367",
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-20T18:58:15Z",
"nvd_published_at": "2026-01-20T19:15:49Z",
"severity": "LOW"
},
"details": "### Summary\nA race condition in Turbo Frames allows delayed HTTP responses to restore stale session cookies after session-modifying operations.\n\n### Details\nBrowsers automatically process Set-Cookie headers from HTTP responses. When a Turbo Frame request is in-flight during a session-modifying action (such as logout), the delayed response may include a Set-Cookie header reflecting the session state at request time. This can result in stale session cookies being restored after the session was intentionally modified or invalidated.\n\nThis condition can occur naturally on slow networks. An active network attacker capable of delaying responses could potentially exploit this to restore previous session state.\n\n ### Impact\n Applications using Turbo Frames with cookie-based session storage may experience:\n - Session state reversion after logout\n - Unintended restoration of previous authentication state\n\nThe impact is limited to applications using client-side cookie storage for sessions. Applications using server-side session stores (Redis, database, etc.) are not meaningfully affected, as the server-side session state remains authoritative.\n\n### Patches\n Upgrade to Turbo 8.0.21 or later. The fix cancels in-flight Turbo Frame requests when:\n - The frame element is disconnected from the DOM\n - The frame\u0027s disabled attribute is set\n - The frame\u0027s src attribute is cleared\n\n### Workarounds\n - Use server-side session storage instead of a cookie store like Rails\u0027s cookie store\n - Ensure logout flows remove or disable Turbo Frame elements before invalidating sessions\n\n### References\n - https://github.com/hotwired/turbo/pull/1399",
"id": "GHSA-qppm-g56g-fpvp",
"modified": "2026-01-21T21:11:06Z",
"published": "2026-01-20T18:58:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/hotwired/turbo/security/advisories/GHSA-qppm-g56g-fpvp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66803"
},
{
"type": "WEB",
"url": "https://github.com/hotwired/turbo/pull/1399"
},
{
"type": "WEB",
"url": "https://github.com/hotwired/turbo/commit/899df356e9f4b3303cca217cd14b3f846edda10d"
},
{
"type": "PACKAGE",
"url": "https://github.com/hotwired/turbo"
},
{
"type": "WEB",
"url": "https://github.com/hotwired/turbo/releases/tag/v8.0.21"
},
{
"type": "WEB",
"url": "https://turbo.hotwired.dev/handbook/frames"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Turbo Frame responses can restore stale session cookies"
}
GHSA-QQ8M-9RPX-W2FM
Vulnerability from github – Published: 2023-08-06 03:30 – Updated: 2023-08-09 14:30Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.2.11. This vulnerability allows a user's session to remain valid even after the user has logged out, potentially granting unauthorized access to sensitive areas and functionalities.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "admidio/admidio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-4190"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-09T14:30:23Z",
"nvd_published_at": "2023-08-06T01:15:10Z",
"severity": "MODERATE"
},
"details": "Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.2.11. This vulnerability allows a user\u0027s session to remain valid even after the user has logged out, potentially granting unauthorized access to sensitive areas and functionalities.",
"id": "GHSA-qq8m-9rpx-w2fm",
"modified": "2023-08-09T14:30:23Z",
"published": "2023-08-06T03:30:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4190"
},
{
"type": "WEB",
"url": "https://github.com/admidio/admidio/commit/391fb2af5bee641837a58e7dd66ff76eac92bb74"
},
{
"type": "PACKAGE",
"url": "https://github.com/admidio/admidio"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/71bc75d2-320c-4332-ad11-9de535a06d92"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Admidio Insufficient Session Expiration vulnerability"
}
GHSA-QQFM-8GGF-XPCH
Vulnerability from github – Published: 2022-05-07 00:00 – Updated: 2022-05-17 00:00HCL Commerce is affected by an Insufficient Session Expiration vulnerability. After the session expires, in some circumstances, parts of the application are still accessible.
{
"affected": [],
"aliases": [
"CVE-2021-27751"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-06T18:15:00Z",
"severity": "LOW"
},
"details": "HCL Commerce is affected by an Insufficient Session Expiration vulnerability. After the session expires, in some circumstances, parts of the application are still accessible.",
"id": "GHSA-qqfm-8ggf-xpch",
"modified": "2022-05-17T00:00:53Z",
"published": "2022-05-07T00:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27751"
},
{
"type": "WEB",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097650"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QRFJ-W3WQ-P623
Vulnerability from github – Published: 2025-04-01 18:30 – Updated: 2025-04-01 21:31A session management flaw in Nagios Network Analyzer 2024R1.0.3 allows an attacker to reuse session tokens even after a user logs out, leading to unauthorized access and account takeover. This occurs due to insufficient session expiration, where session tokens remain valid beyond logout, allowing an attacker to impersonate users and perform actions on their behalf.
{
"affected": [],
"aliases": [
"CVE-2025-28132"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-01T17:15:46Z",
"severity": "MODERATE"
},
"details": "A session management flaw in Nagios Network Analyzer 2024R1.0.3 allows an attacker to reuse session tokens even after a user logs out, leading to unauthorized access and account takeover. This occurs due to insufficient session expiration, where session tokens remain valid beyond logout, allowing an attacker to impersonate users and perform actions on their behalf.",
"id": "GHSA-qrfj-w3wq-p623",
"modified": "2025-04-01T21:31:27Z",
"published": "2025-04-01T18:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-28132"
},
{
"type": "WEB",
"url": "https://github.com/harshal79/Insufficient-Session-Expiration.git"
},
{
"type": "WEB",
"url": "https://www.nagios.com/changelog/#network-analyzer"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QRV8-99H7-2C7V
Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13An insufficient session expiration vulnerability exists in the "Fish | Hunt FL" iOS app version 3.8.0 and earlier, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions.
{
"affected": [],
"aliases": [
"CVE-2021-33982"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-08T17:15:00Z",
"severity": "HIGH"
},
"details": "An insufficient session expiration vulnerability exists in the \"Fish | Hunt FL\" iOS app version 3.8.0 and earlier, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions.",
"id": "GHSA-qrv8-99h7-2c7v",
"modified": "2022-05-24T19:13:20Z",
"published": "2022-05-24T19:13:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33982"
},
{
"type": "WEB",
"url": "https://gist.github.com/p4lsec/1f024d96b44ea733cdae0605c7ce8a49"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QW2F-33VP-25MQ
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16An insufficient session expiration vulnerability [CWE- 613] in FortiClientEMS versions 6.4.2 and below, 6.2.8 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks)
{
"affected": [],
"aliases": [
"CVE-2021-24019"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-06T10:15:00Z",
"severity": "CRITICAL"
},
"details": "An insufficient session expiration vulnerability [CWE- 613] in FortiClientEMS versions 6.4.2 and below, 6.2.8 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks)",
"id": "GHSA-qw2f-33vp-25mq",
"modified": "2022-05-24T19:16:50Z",
"published": "2022-05-24T19:16:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24019"
},
{
"type": "WEB",
"url": "https://fortiguard.com/advisory/FG-IR-20-072"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.