Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

876 vulnerabilities reference this CWE, most recent first.

GHSA-Q929-G23J-2RC7

Vulnerability from github – Published: 2026-06-25 18:30 – Updated: 2026-06-26 09:30
VLAI
Details

A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client's secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-9705"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T17:17:03Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Keycloak\u0027s client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client\u0027s secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise.",
  "id": "GHSA-q929-g23j-2rc7",
  "modified": "2026-06-26T09:30:46Z",
  "published": "2026-06-25T18:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9705"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30049"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30050"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30083"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30084"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-9705"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481878"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q95V-68H8-44X6

Vulnerability from github – Published: 2023-10-29 03:30 – Updated: 2023-10-29 03:30
VLAI
Details

Insufficient Session Expiration in GitHub repository linkstackorg/linkstack prior to v4.2.9.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5838"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-29T01:15:41Z",
    "severity": "MODERATE"
  },
  "details": "Insufficient Session Expiration in GitHub repository linkstackorg/linkstack prior to v4.2.9.",
  "id": "GHSA-q95v-68h8-44x6",
  "modified": "2023-10-29T03:30:30Z",
  "published": "2023-10-29T03:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5838"
    },
    {
      "type": "WEB",
      "url": "https://github.com/linkstackorg/linkstack/commit/02f620092255f07e1d0252a0190fd42ef773ba05"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/8f6feca3-386d-4897-801c-39b9e3e5eb03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QC92-5V9V-HH5W

Vulnerability from github – Published: 2026-02-27 00:31 – Updated: 2026-03-05 21:30
VLAI
Details

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25711"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-27T00:16:57Z",
    "severity": "HIGH"
  },
  "details": "The WebSocket backend uses charging station identifiers to uniquely \nassociate sessions but allows multiple endpoints to connect using the \nsame session identifier. This implementation results in predictable \nsession identifiers and enables session hijacking or shadowing, where \nthe most recent connection displaces the legitimate charging station and\n receives backend commands intended for that station. This vulnerability\n may allow unauthorized users to authenticate as other users or enable a\n malicious actor to cause a denial-of-service condition by overwhelming \nthe backend with valid session requests.",
  "id": "GHSA-qc92-5v9v-hh5w",
  "modified": "2026-03-05T21:30:27Z",
  "published": "2026-02-27T00:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25711"
    },
    {
      "type": "WEB",
      "url": "https://chargemap.com/en-us/support"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-05.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-QHMC-3MVR-F2J4

Vulnerability from github – Published: 2025-12-15 15:30 – Updated: 2026-06-05 14:34
VLAI
Summary
django-allauth does not reject access tokens for inactive users
Details

An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "django-allauth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "65.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-65430"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-16T19:33:33Z",
    "nvd_published_at": "2025-12-15T14:15:57Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected.",
  "id": "GHSA-qhmc-3mvr-f2j4",
  "modified": "2026-06-05T14:34:45Z",
  "published": "2025-12-15T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65430"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pennersr/django-allauth/commit/39f4a4ce9c891795b00914ca5ec32de72d5369c0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pennersr/django-allauth/commit/c54edf947c5a1c8c4ff3cddb75c86000ecb2507d"
    },
    {
      "type": "WEB",
      "url": "https://allauth.org/news/2025/10/django-allauth-65.13.0-released"
    },
    {
      "type": "PACKAGE",
      "url": "https://codeberg.org/allauth/django-allauth"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-allauth/PYSEC-2025-110.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "django-allauth does not reject access tokens for inactive users"
}

GHSA-QPPM-G56G-FPVP

Vulnerability from github – Published: 2026-01-20 18:58 – Updated: 2026-01-21 21:11
VLAI
Summary
Turbo Frame responses can restore stale session cookies
Details

Summary

A race condition in Turbo Frames allows delayed HTTP responses to restore stale session cookies after session-modifying operations.

Details

Browsers automatically process Set-Cookie headers from HTTP responses. When a Turbo Frame request is in-flight during a session-modifying action (such as logout), the delayed response may include a Set-Cookie header reflecting the session state at request time. This can result in stale session cookies being restored after the session was intentionally modified or invalidated.

This condition can occur naturally on slow networks. An active network attacker capable of delaying responses could potentially exploit this to restore previous session state.

### Impact Applications using Turbo Frames with cookie-based session storage may experience: - Session state reversion after logout - Unintended restoration of previous authentication state

The impact is limited to applications using client-side cookie storage for sessions. Applications using server-side session stores (Redis, database, etc.) are not meaningfully affected, as the server-side session state remains authoritative.

Patches

Upgrade to Turbo 8.0.21 or later. The fix cancels in-flight Turbo Frame requests when: - The frame element is disconnected from the DOM - The frame's disabled attribute is set - The frame's src attribute is cleared

Workarounds

  • Use server-side session storage instead of a cookie store like Rails's cookie store
  • Ensure logout flows remove or disable Turbo Frame elements before invalidating sessions

References

  • https://github.com/hotwired/turbo/pull/1399
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.20"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@hotwired/turbo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-367",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-20T18:58:15Z",
    "nvd_published_at": "2026-01-20T19:15:49Z",
    "severity": "LOW"
  },
  "details": "###  Summary\nA race condition in Turbo Frames allows delayed HTTP responses to restore stale session cookies after session-modifying operations.\n\n### Details\nBrowsers automatically process Set-Cookie headers from HTTP responses. When a Turbo Frame request is in-flight during a session-modifying action (such as logout), the delayed response may include a Set-Cookie header reflecting the session state at request time. This can result in stale session cookies being restored after the session was intentionally modified or invalidated.\n\nThis condition can occur naturally on slow networks. An active network attacker capable of delaying responses could potentially exploit this to restore previous session state.\n\n  ### Impact\n Applications using Turbo Frames with cookie-based session storage may experience:\n  - Session state reversion after logout\n  - Unintended restoration of previous authentication state\n\nThe impact is limited to applications using client-side cookie storage for sessions. Applications using server-side session stores (Redis, database, etc.) are not meaningfully affected, as the server-side session state remains authoritative.\n\n###  Patches\n  Upgrade to Turbo 8.0.21 or later. The fix cancels in-flight Turbo Frame requests when:\n  - The frame element is disconnected from the DOM\n  - The frame\u0027s disabled attribute is set\n  - The frame\u0027s src attribute is cleared\n\n###  Workarounds\n  - Use server-side session storage instead of a cookie store like Rails\u0027s cookie store\n  - Ensure logout flows remove or disable Turbo Frame elements before invalidating sessions\n\n###  References\n  - https://github.com/hotwired/turbo/pull/1399",
  "id": "GHSA-qppm-g56g-fpvp",
  "modified": "2026-01-21T21:11:06Z",
  "published": "2026-01-20T18:58:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hotwired/turbo/security/advisories/GHSA-qppm-g56g-fpvp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66803"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hotwired/turbo/pull/1399"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hotwired/turbo/commit/899df356e9f4b3303cca217cd14b3f846edda10d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hotwired/turbo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hotwired/turbo/releases/tag/v8.0.21"
    },
    {
      "type": "WEB",
      "url": "https://turbo.hotwired.dev/handbook/frames"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Turbo Frame responses can restore stale session cookies"
}

GHSA-QQ8M-9RPX-W2FM

Vulnerability from github – Published: 2023-08-06 03:30 – Updated: 2023-08-09 14:30
VLAI
Summary
Admidio Insufficient Session Expiration vulnerability
Details

Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.2.11. This vulnerability allows a user's session to remain valid even after the user has logged out, potentially granting unauthorized access to sensitive areas and functionalities.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "admidio/admidio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.2.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-4190"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-09T14:30:23Z",
    "nvd_published_at": "2023-08-06T01:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.2.11. This vulnerability allows a user\u0027s session to remain valid even after the user has logged out, potentially granting unauthorized access to sensitive areas and functionalities.",
  "id": "GHSA-qq8m-9rpx-w2fm",
  "modified": "2023-08-09T14:30:23Z",
  "published": "2023-08-06T03:30:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4190"
    },
    {
      "type": "WEB",
      "url": "https://github.com/admidio/admidio/commit/391fb2af5bee641837a58e7dd66ff76eac92bb74"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/admidio/admidio"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/71bc75d2-320c-4332-ad11-9de535a06d92"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Admidio Insufficient Session Expiration vulnerability"
}

GHSA-QQFM-8GGF-XPCH

Vulnerability from github – Published: 2022-05-07 00:00 – Updated: 2022-05-17 00:00
VLAI
Details

HCL Commerce is affected by an Insufficient Session Expiration vulnerability. After the session expires, in some circumstances, parts of the application are still accessible.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27751"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-06T18:15:00Z",
    "severity": "LOW"
  },
  "details": "HCL Commerce is affected by an Insufficient Session Expiration vulnerability. After the session expires, in some circumstances, parts of the application are still accessible.",
  "id": "GHSA-qqfm-8ggf-xpch",
  "modified": "2022-05-17T00:00:53Z",
  "published": "2022-05-07T00:00:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27751"
    },
    {
      "type": "WEB",
      "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097650"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QRFJ-W3WQ-P623

Vulnerability from github – Published: 2025-04-01 18:30 – Updated: 2025-04-01 21:31
VLAI
Details

A session management flaw in Nagios Network Analyzer 2024R1.0.3 allows an attacker to reuse session tokens even after a user logs out, leading to unauthorized access and account takeover. This occurs due to insufficient session expiration, where session tokens remain valid beyond logout, allowing an attacker to impersonate users and perform actions on their behalf.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-28132"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T17:15:46Z",
    "severity": "MODERATE"
  },
  "details": "A session management flaw in Nagios Network Analyzer 2024R1.0.3 allows an attacker to reuse session tokens even after a user logs out, leading to unauthorized access and account takeover. This occurs due to insufficient session expiration, where session tokens remain valid beyond logout, allowing an attacker to impersonate users and perform actions on their behalf.",
  "id": "GHSA-qrfj-w3wq-p623",
  "modified": "2025-04-01T21:31:27Z",
  "published": "2025-04-01T18:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-28132"
    },
    {
      "type": "WEB",
      "url": "https://github.com/harshal79/Insufficient-Session-Expiration.git"
    },
    {
      "type": "WEB",
      "url": "https://www.nagios.com/changelog/#network-analyzer"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QRV8-99H7-2C7V

Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13
VLAI
Details

An insufficient session expiration vulnerability exists in the "Fish | Hunt FL" iOS app version 3.8.0 and earlier, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33982"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-08T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "An insufficient session expiration vulnerability exists in the \"Fish | Hunt FL\" iOS app version 3.8.0 and earlier, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions.",
  "id": "GHSA-qrv8-99h7-2c7v",
  "modified": "2022-05-24T19:13:20Z",
  "published": "2022-05-24T19:13:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33982"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/p4lsec/1f024d96b44ea733cdae0605c7ce8a49"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-QW2F-33VP-25MQ

Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16
VLAI
Details

An insufficient session expiration vulnerability [CWE- 613] in FortiClientEMS versions 6.4.2 and below, 6.2.8 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-24019"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-06T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An insufficient session expiration vulnerability [CWE- 613] in FortiClientEMS versions 6.4.2 and below, 6.2.8 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks)",
  "id": "GHSA-qw2f-33vp-25mq",
  "modified": "2022-05-24T19:16:50Z",
  "published": "2022-05-24T19:16:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24019"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/advisory/FG-IR-20-072"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.