CVE-2026-28275 (GCVE-0-2026-28275)

Vulnerability from cvelistv5 – Published: 2026-02-26 22:56 – Updated: 2026-02-27 17:44
VLAI?
Title
Initiative Vulnerable to Improper Session Invalidation (JWT Remains Valid)
Summary
Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue.
Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE
  • CWE-613 - Insufficient Session Expiration
Assigner
References
Impacted products
Vendor Product Version
Morelitea initiative Affected: < 0.32.4
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28275",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-27T17:42:45.634963Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-27T17:44:23.728Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "initiative",
          "vendor": "Morelitea",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.32.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-613",
              "description": "CWE-613: Insufficient Session Expiration",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-26T22:56:07.815Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3h"
        },
        {
          "name": "https://github.com/Morelitea/initiative/releases/tag/v0.32.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Morelitea/initiative/releases/tag/v0.32.4"
        }
      ],
      "source": {
        "advisory": "GHSA-hww6-3fww-xw3h",
        "discovery": "UNKNOWN"
      },
      "title": "Initiative Vulnerable to Improper Session Invalidation (JWT Remains Valid)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-28275",
    "datePublished": "2026-02-26T22:56:07.815Z",
    "dateReserved": "2026-02-26T01:52:58.734Z",
    "dateUpdated": "2026-02-27T17:44:23.728Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-28275\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-26T23:16:37.240\",\"lastModified\":\"2026-02-27T19:07:07.187\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue.\"},{\"lang\":\"es\",\"value\":\"Initiative es una plataforma de gesti\u00f3n de proyectos autoalojada. Las versiones de la aplicaci\u00f3n anteriores a la 0.32.4 no invalidan los tokens de acceso JWT emitidos previamente despu\u00e9s de que un usuario cambia su contrase\u00f1a. Como resultado, los tokens m\u00e1s antiguos permanecen v\u00e1lidos hasta su expiraci\u00f3n y a\u00fan pueden utilizarse para acceder a puntos finales de API protegidos. Este comportamiento permite el acceso autenticado continuado incluso despu\u00e9s de que la contrase\u00f1a de la cuenta haya sido actualizada. La versi\u00f3n 0.32.4 corrige el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-613\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:morelitea:initiative:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.32.4\",\"matchCriteriaId\":\"0B50ACE8-1939-4039-8DC6-F45DB13167D5\"}]}]}],\"references\":[{\"url\":\"https://github.com/Morelitea/initiative/releases/tag/v0.32.4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3h\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-28275\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-27T17:42:45.634963Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-27T17:44:19.029Z\"}}], \"cna\": {\"title\": \"Initiative Vulnerable to Improper Session Invalidation (JWT Remains Valid)\", \"source\": {\"advisory\": \"GHSA-hww6-3fww-xw3h\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"Morelitea\", \"product\": \"initiative\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.32.4\"}]}], \"references\": [{\"url\": \"https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3h\", \"name\": \"https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3h\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Morelitea/initiative/releases/tag/v0.32.4\", \"name\": \"https://github.com/Morelitea/initiative/releases/tag/v0.32.4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-613\", \"description\": \"CWE-613: Insufficient Session Expiration\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-26T22:56:07.815Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-28275\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-27T17:44:23.728Z\", \"dateReserved\": \"2026-02-26T01:52:58.734Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-26T22:56:07.815Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.