Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

876 vulnerabilities reference this CWE, most recent first.

GHSA-63GW-9JW7-V975

Vulnerability from github – Published: 2024-07-22 15:32 – Updated: 2024-07-22 15:32
VLAI
Details

In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-41827"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-22T15:15:05Z",
    "severity": "HIGH"
  },
  "details": "In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration",
  "id": "GHSA-63gw-9jw7-v975",
  "modified": "2024-07-22T15:32:42Z",
  "published": "2024-07-22T15:32:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41827"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-63V5-26VQ-M4VM

Vulnerability from github – Published: 2026-01-26 21:30 – Updated: 2026-03-06 00:31
VLAI
Summary
Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods
Details

A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the NotOnOrAfter timestamp within the SubjectConfirmationData. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-services"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-1190"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-112",
      "CWE-347",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-27T21:56:13Z",
    "nvd_published_at": "2026-01-26T20:16:09Z",
    "severity": "LOW"
  },
  "details": "A flaw was found in Keycloak\u0027s SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.",
  "id": "GHSA-63v5-26vq-m4vm",
  "modified": "2026-03-06T00:31:28Z",
  "published": "2026-01-26T21:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1190"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/issues/45646"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:3947"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:3948"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-1190"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430835"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keycloak\u0027s missing timestamp validation allows attackers to extend SAML response validity periods"
}

GHSA-64W3-5Q9M-68XF

Vulnerability from github – Published: 2025-10-23 15:30 – Updated: 2026-02-17 17:20
VLAI
Summary
Keycloak does not invalidate sessions when "Remember Me" is disabled
Details

A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-services"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "26.3.0"
            },
            {
              "fixed": "26.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-services"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "26.2.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-11429"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-23T19:24:48Z",
    "nvd_published_at": "2025-10-23T14:15:35Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the \"Remember Me\" realm setting on existing user sessions. Sessions created while \"Remember Me\" was active retain their extended session lifetime until they expire, overriding the administrator\u0027s recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local \"remember-me\" flag without validating the current realm-level configuration.",
  "id": "GHSA-64w3-5q9m-68xf",
  "modified": "2026-02-17T17:20:04Z",
  "published": "2025-10-23T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11429"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/issues/43328"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/commit/a34094100716b7c69ae38eaed6678ab4344d0a1d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/commit/a752492843e21c3ab06090616692e53001864158"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keycloak/keycloak/commit/bda0e2a67c8cf41d1b3d9010e6dfcddaf79bf59b"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:22088"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2025:22089"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-11429"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402148"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keycloak/keycloak"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keycloak does not invalidate sessions when \"Remember Me\" is disabled"
}

GHSA-65C7-88XP-PCV7

Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2022-10-25 19:00
VLAI
Details

Prima Systems FlexAir devices have an Insufficient Session-ID Length.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-7280"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-01T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "Prima Systems FlexAir devices have an Insufficient Session-ID Length.",
  "id": "GHSA-65c7-88xp-pcv7",
  "modified": "2022-10-25T19:00:32Z",
  "published": "2022-05-24T16:49:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7280"
    },
    {
      "type": "WEB",
      "url": "https://applied-risk.com/labs/advisories"
    },
    {
      "type": "WEB",
      "url": "https://www.applied-risk.com/resources/ar-2019-007"
    },
    {
      "type": "WEB",
      "url": "https://www.us-cert.gov/ics/advisories/icsa-19-211-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-65MJ-98XR-M8MH

Vulnerability from github – Published: 2023-05-02 21:31 – Updated: 2024-04-04 03:46
VLAI
Details

An issue in the time-based authentication mechanism of Aigital Aigital Wireless-N Repeater Mini_Router v0.131229 allows attackers to bypass login by connecting to the web app after a successful attempt by a legitimate user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-30403"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-02T20:15:10Z",
    "severity": "HIGH"
  },
  "details": "An issue in the time-based authentication mechanism of Aigital Aigital Wireless-N Repeater Mini_Router v0.131229 allows attackers to bypass login by connecting to the web app after a successful attempt by a legitimate user.",
  "id": "GHSA-65mj-98xr-m8mh",
  "modified": "2024-04-04T03:46:45Z",
  "published": "2023-05-02T21:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30403"
    },
    {
      "type": "WEB",
      "url": "https://dl.packetstormsecurity.net/2305-exploits/aigitalwnr-bypass.txt"
    },
    {
      "type": "WEB",
      "url": "https://mandomat.github.io/2023-04-13-testing-a-cheap-wifi-repeater"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-65V7-8599-57VR

Vulnerability from github – Published: 2025-10-01 18:30 – Updated: 2025-10-01 18:30
VLAI
Details

IBM Transformation Extender Advanced 10.0.1

does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-49881"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-01T17:15:37Z",
    "severity": "MODERATE"
  },
  "details": "IBM Transformation Extender Advanced 10.0.1 \n\ndoes not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.",
  "id": "GHSA-65v7-8599-57vr",
  "modified": "2025-10-01T18:30:38Z",
  "published": "2025-10-01T18:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49881"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7246882"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-666M-X6MQ-3HP8

Vulnerability from github – Published: 2023-06-05 03:31 – Updated: 2024-04-04 04:31
VLAI
Details

IBM Security Guardium 11.5 could allow a user to take over another user's session due to insufficient session expiration. IBM X-Force ID: 243657.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-0041"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-05T01:15:45Z",
    "severity": "HIGH"
  },
  "details": "IBM Security Guardium 11.5 could allow a user to take over another user\u0027s session due to insufficient session expiration.  IBM X-Force ID:  243657.",
  "id": "GHSA-666m-x6mq-3hp8",
  "modified": "2024-04-04T04:31:33Z",
  "published": "2023-06-05T03:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0041"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/243657"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7000021"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-66HX-CHF7-3332

Vulnerability from github – Published: 2026-04-14 23:38 – Updated: 2026-04-24 20:42
VLAI
Summary
pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)
Details

Summary

pyLoad caches role and permission in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database.

As a result, an already logged-in user can keep old (revoked) privileges until logout/session expiry, enabling continued privileged actions.

This is a core authorization/session-consistency issue and is not resolved by toggling an optional security feature.

Details

The WebUI auth flow stores authorization state in session:

  • src/pyload/webui/app/helpers.py:187-200
  • set_session(...) writes:
    • "role": user_info["role"]
    • "perms": user_info["permission"]

Authorization checks later trust cached session values:

  • src/pyload/webui/app/helpers.py:134-151
  • parse_permissions(...) reads session.get("role") / session.get("perms")
  • src/pyload/webui/app/helpers.py:225-230
  • is_authenticated(...) only verifies authenticated and api.user_exists(user) (existence), not fresh role/permission
  • src/pyload/webui/app/helpers.py:267-275
  • login_required(...) uses parse_permissions(s) for allow/deny decisions
  • src/pyload/webui/app/helpers.py:356-365
  • API session auth path also trusts s["role"] and s["perms"]

Role/permission updates are written to DB but active sessions are not invalidated/refreshed:

  • src/pyload/webui/app/blueprints/json_blueprint.py:389-434
  • update_users(...) calls api.set_user_permission(...) and returns
  • src/pyload/core/api/__init__.py:1643-1645
  • set_user_permission(...) updates DB role/permission only

Default exposure window is long:

  • src/pyload/core/config/default.cfg:47
  • session_lifetime = 44640 minutes (~31 days)

Therefore, privilege revocation is not enforced immediately for active sessions.

Note on duplicates: - This appears distinct from CVE-2023-0227 (session validity after user deletion) because this report is about stale authorization after role/permission changes while the user still exists.

PoC

#!/usr/bin/env python3
"""
Repro: stale session privilege after role/permission changes.

This PoC is source-based and leaves no persistent state.
It validates that:
1) Role/permission are cached into session at login.
2) Authorization checks read role/permission from session, not fresh DB values.
3) User updates write DB permission/role without invalidating active sessions.
4) Default session lifetime is long, increasing stale-privilege exposure window.
"""

from __future__ import annotations

import pathlib
import re
from typing import Iterable


ROOT = pathlib.Path(__file__).resolve().parent / "pyload" / "src" / "pyload"


def read(rel: str) -> str:
    return (ROOT / rel).read_text(encoding="utf-8")


def has_any(text: str, patterns: Iterable[str]) -> bool:
    return all(re.search(p, text, re.MULTILINE) for p in patterns)


def main() -> None:
    helpers = read("webui/app/helpers.py")
    json_blueprint = read("webui/app/blueprints/json_blueprint.py")
    api_init = read("core/api/__init__.py")
    default_cfg = (ROOT / "core/config/default.cfg").read_text(encoding="utf-8")

    checks = {
        "set_session_caches_role_perms": has_any(
            helpers,
            [
                r'def\\s+set_session\\(',
                r'"role"\\s*:\\s*user_info\\["role"\\]',
                r'"perms"\\s*:\\s*user_info\\["permission"\\]',
            ],
        ),
        "is_authenticated_only_checks_user_exists": has_any(
            helpers,
            [
                r'def\\s+is_authenticated\\(',
                r'api\\s*=\\s*flask\\.current_app\\.config\\["PYLOAD_API"\\]',
                r'return\\s+authenticated\\s+and\\s+api\\.user_exists\\(user\\)',
            ],
        ),
        "parse_permissions_reads_session_cache": has_any(
            helpers,
            [
                r'def\\s+parse_permissions\\(',
                r'session\\.get\\("role"\\)\\s*==\\s*Role\\.ADMIN',
                r'session\\.get\\("perms"\\)',
            ],
        ),
        "login_required_uses_parse_permissions_session": has_any(
            helpers,
            [
                r'def\\s+login_required\\(',
                r'if\\s+is_authenticated\\(s\\):',
                r'perms\\s*=\\s*parse_permissions\\(s\\)',
            ],
        ),
        "api_session_auth_uses_cached_role_perms": has_any(
            helpers,
            [
                r'if\\s+is_authenticated\\(s\\):',
                r'"role"\\s*:\\s*s\\["role"\\]',
                r'"permission"\\s*:\\s*s\\["perms"\\]',
            ],
        ),
        "update_users_changes_db_without_session_invalidation": has_any(
            json_blueprint,
            [
                r'def\\s+update_users\\(',
                r'api\\.set_user_permission\\(name,\\s*data\\["permission"\\],\\s*data\\["role"\\]\\)',
                r'return\\s+jsonify\\(True\\)',
            ],
        ),
        "set_user_permission_only_updates_db": has_any(
            api_init,
            [
                r'def\\s+set_user_permission\\(',
                r'self\\.pyload\\.db\\.set_permission\\(user,\\s*permission\\)',
                r'self\\.pyload\\.db\\.set_role\\(user,\\s*role\\)',
            ],
        ),
        "default_session_lifetime_long": re.search(
            r'session_lifetime\\s*:\\s*"Session lifetime \\(minutes\\)"\\s*=\\s*44640',
            default_cfg,
            re.MULTILINE,
        )
        is not None,
    }

    for name, ok in checks.items():
        print(f"{name}={ok}")

    stale_privilege_repro_success = all(checks.values())
    print(f"stale_privilege_repro_success={stale_privilege_repro_success}")

    # Cleanup: this PoC creates/modifies no runtime/data files.
    print("cleanup_done=True")


if __name__ == "__main__":
    main()
set_session_caches_role_perms=True
is_authenticated_only_checks_user_exists=True
parse_permissions_reads_session_cache=True
login_required_uses_parse_permissions_session=True
api_session_auth_uses_cached_role_perms=True
update_users_changes_db_without_session_invalidation=True
set_user_permission_only_updates_db=True
default_session_lifetime_long=True
stale_privilege_repro_success=True
cleanup_done=True

Impact

  • Privilege revocation is not immediate for active sessions.
  • A user can continue using stale, previously granted privileges (including admin) after downgrade/restriction.
  • This can allow continued access to privileged WebUI/API actions until session expiry or manual logout/session reset.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "pyload-ng"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.5.0b3.dev97"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41133"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T23:38:35Z",
    "nvd_published_at": "2026-04-22T00:16:29Z",
    "severity": "HIGH"
  },
  "details": "### Summary\npyLoad caches `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin changes the user\u0027s role/permissions in the database.\n\nAs a result, an already logged-in user can keep old (revoked) privileges until logout/session expiry, enabling continued privileged actions.\n\nThis is a core authorization/session-consistency issue and is not resolved by toggling an optional security feature.\n\n### Details\nThe WebUI auth flow stores authorization state in session:\n\n- `src/pyload/webui/app/helpers.py:187-200`\n  - `set_session(...)` writes:\n    - `\"role\": user_info[\"role\"]`\n    - `\"perms\": user_info[\"permission\"]`\n\nAuthorization checks later trust cached session values:\n\n- `src/pyload/webui/app/helpers.py:134-151`\n  - `parse_permissions(...)` reads `session.get(\"role\")` / `session.get(\"perms\")`\n- `src/pyload/webui/app/helpers.py:225-230`\n  - `is_authenticated(...)` only verifies `authenticated` and `api.user_exists(user)` (existence), not fresh role/permission\n- `src/pyload/webui/app/helpers.py:267-275`\n  - `login_required(...)` uses `parse_permissions(s)` for allow/deny decisions\n- `src/pyload/webui/app/helpers.py:356-365`\n  - API session auth path also trusts `s[\"role\"]` and `s[\"perms\"]`\n\nRole/permission updates are written to DB but active sessions are not invalidated/refreshed:\n\n- `src/pyload/webui/app/blueprints/json_blueprint.py:389-434`\n  - `update_users(...)` calls `api.set_user_permission(...)` and returns\n- `src/pyload/core/api/__init__.py:1643-1645`\n  - `set_user_permission(...)` updates DB role/permission only\n\nDefault exposure window is long:\n\n- `src/pyload/core/config/default.cfg:47`\n  - `session_lifetime = 44640` minutes (~31 days)\n\nTherefore, privilege revocation is not enforced immediately for active sessions.\n\nNote on duplicates:\n- This appears distinct from CVE-2023-0227 (session validity after **user deletion**) because this report is about stale authorization after **role/permission changes** while the user still exists.\n\n### PoC\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nRepro: stale session privilege after role/permission changes.\n\nThis PoC is source-based and leaves no persistent state.\nIt validates that:\n1) Role/permission are cached into session at login.\n2) Authorization checks read role/permission from session, not fresh DB values.\n3) User updates write DB permission/role without invalidating active sessions.\n4) Default session lifetime is long, increasing stale-privilege exposure window.\n\"\"\"\n\nfrom __future__ import annotations\n\nimport pathlib\nimport re\nfrom typing import Iterable\n\n\nROOT = pathlib.Path(__file__).resolve().parent / \"pyload\" / \"src\" / \"pyload\"\n\n\ndef read(rel: str) -\u003e str:\n    return (ROOT / rel).read_text(encoding=\"utf-8\")\n\n\ndef has_any(text: str, patterns: Iterable[str]) -\u003e bool:\n    return all(re.search(p, text, re.MULTILINE) for p in patterns)\n\n\ndef main() -\u003e None:\n    helpers = read(\"webui/app/helpers.py\")\n    json_blueprint = read(\"webui/app/blueprints/json_blueprint.py\")\n    api_init = read(\"core/api/__init__.py\")\n    default_cfg = (ROOT / \"core/config/default.cfg\").read_text(encoding=\"utf-8\")\n\n    checks = {\n        \"set_session_caches_role_perms\": has_any(\n            helpers,\n            [\n                r\u0027def\\\\s+set_session\\\\(\u0027,\n                r\u0027\"role\"\\\\s*:\\\\s*user_info\\\\[\"role\"\\\\]\u0027,\n                r\u0027\"perms\"\\\\s*:\\\\s*user_info\\\\[\"permission\"\\\\]\u0027,\n            ],\n        ),\n        \"is_authenticated_only_checks_user_exists\": has_any(\n            helpers,\n            [\n                r\u0027def\\\\s+is_authenticated\\\\(\u0027,\n                r\u0027api\\\\s*=\\\\s*flask\\\\.current_app\\\\.config\\\\[\"PYLOAD_API\"\\\\]\u0027,\n                r\u0027return\\\\s+authenticated\\\\s+and\\\\s+api\\\\.user_exists\\\\(user\\\\)\u0027,\n            ],\n        ),\n        \"parse_permissions_reads_session_cache\": has_any(\n            helpers,\n            [\n                r\u0027def\\\\s+parse_permissions\\\\(\u0027,\n                r\u0027session\\\\.get\\\\(\"role\"\\\\)\\\\s*==\\\\s*Role\\\\.ADMIN\u0027,\n                r\u0027session\\\\.get\\\\(\"perms\"\\\\)\u0027,\n            ],\n        ),\n        \"login_required_uses_parse_permissions_session\": has_any(\n            helpers,\n            [\n                r\u0027def\\\\s+login_required\\\\(\u0027,\n                r\u0027if\\\\s+is_authenticated\\\\(s\\\\):\u0027,\n                r\u0027perms\\\\s*=\\\\s*parse_permissions\\\\(s\\\\)\u0027,\n            ],\n        ),\n        \"api_session_auth_uses_cached_role_perms\": has_any(\n            helpers,\n            [\n                r\u0027if\\\\s+is_authenticated\\\\(s\\\\):\u0027,\n                r\u0027\"role\"\\\\s*:\\\\s*s\\\\[\"role\"\\\\]\u0027,\n                r\u0027\"permission\"\\\\s*:\\\\s*s\\\\[\"perms\"\\\\]\u0027,\n            ],\n        ),\n        \"update_users_changes_db_without_session_invalidation\": has_any(\n            json_blueprint,\n            [\n                r\u0027def\\\\s+update_users\\\\(\u0027,\n                r\u0027api\\\\.set_user_permission\\\\(name,\\\\s*data\\\\[\"permission\"\\\\],\\\\s*data\\\\[\"role\"\\\\]\\\\)\u0027,\n                r\u0027return\\\\s+jsonify\\\\(True\\\\)\u0027,\n            ],\n        ),\n        \"set_user_permission_only_updates_db\": has_any(\n            api_init,\n            [\n                r\u0027def\\\\s+set_user_permission\\\\(\u0027,\n                r\u0027self\\\\.pyload\\\\.db\\\\.set_permission\\\\(user,\\\\s*permission\\\\)\u0027,\n                r\u0027self\\\\.pyload\\\\.db\\\\.set_role\\\\(user,\\\\s*role\\\\)\u0027,\n            ],\n        ),\n        \"default_session_lifetime_long\": re.search(\n            r\u0027session_lifetime\\\\s*:\\\\s*\"Session lifetime \\\\(minutes\\\\)\"\\\\s*=\\\\s*44640\u0027,\n            default_cfg,\n            re.MULTILINE,\n        )\n        is not None,\n    }\n\n    for name, ok in checks.items():\n        print(f\"{name}={ok}\")\n\n    stale_privilege_repro_success = all(checks.values())\n    print(f\"stale_privilege_repro_success={stale_privilege_repro_success}\")\n\n    # Cleanup: this PoC creates/modifies no runtime/data files.\n    print(\"cleanup_done=True\")\n\n\nif __name__ == \"__main__\":\n    main()\n```\n\n```text\nset_session_caches_role_perms=True\nis_authenticated_only_checks_user_exists=True\nparse_permissions_reads_session_cache=True\nlogin_required_uses_parse_permissions_session=True\napi_session_auth_uses_cached_role_perms=True\nupdate_users_changes_db_without_session_invalidation=True\nset_user_permission_only_updates_db=True\ndefault_session_lifetime_long=True\nstale_privilege_repro_success=True\ncleanup_done=True\n```\n\n### Impact\n- Privilege revocation is not immediate for active sessions.\n- A user can continue using stale, previously granted privileges (including admin) after downgrade/restriction.\n- This can allow continued access to privileged WebUI/API actions until session expiry or manual logout/session reset.",
  "id": "GHSA-66hx-chf7-3332",
  "modified": "2026-04-24T20:42:27Z",
  "published": "2026-04-14T23:38:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/security/advisories/GHSA-66hx-chf7-3332"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41133"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pyload/pyload/commit/e95804fb0d06cbb07d2ba380fc494d9ff89b68c1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyload/pyload"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)"
}

GHSA-68QV-W55V-9MRV

Vulnerability from github – Published: 2026-03-25 21:30 – Updated: 2026-03-25 21:30
VLAI
Details

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 does not invalidate a session after privileges have been modified which could allow an authenticated user to retain access to sensitive information. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CWE: CWE-613: Insufficient Session Expiration CVSS Source: IBM CVSS Base score: 6.3 CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14810"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T21:16:23Z",
    "severity": "MODERATE"
  },
  "details": "IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 does not invalidate a session after privileges have been modified which could allow an authenticated user to retain access to sensitive information. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CWE: CWE-613: Insufficient Session Expiration CVSS Source: IBM CVSS Base score: 6.3 CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)",
  "id": "GHSA-68qv-w55v-9mrv",
  "modified": "2026-03-25T21:30:36Z",
  "published": "2026-03-25T21:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14810"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7266696"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-68X5-XX89-W9MM

Vulnerability from github – Published: 2026-04-09 17:34 – Updated: 2026-04-28 18:27
VLAI
Summary
OpenClaw: resolvedAuth closure becomes stale after config reload
Details

Impact

resolvedAuth closure becomes stale after config reload.

After a config reload, newly accepted gateway connections could continue using stale resolved auth state.

OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.4.1
  • Patched versions: 2026.4.8

Fix

The issue was fixed on main and is available in the patched npm version listed above. The verified fixed tree is commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5.

Verification

The fix was re-checked against main before publication, including targeted regression tests for the affected security boundary.

Credits

Thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.4.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41916"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-09T17:34:27Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Impact\n\nresolvedAuth closure becomes stale after config reload.\n\nAfter a config reload, newly accepted gateway connections could continue using stale resolved auth state.\n\nOpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service boundary.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.4.1`\n- Patched versions: `2026.4.8`\n\n## Fix\n\nThe issue was fixed on `main` and is available in the patched npm version listed above. The verified fixed tree is commit `d7c3210cd6f5fdfdc1beff4c9541673e814354d5`.\n\n## Verification\n\nThe fix was re-checked against `main` before publication, including targeted regression tests for the affected security boundary.\n\n## Credits\n\nThanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.",
  "id": "GHSA-68x5-xx89-w9mm",
  "modified": "2026-04-28T18:27:09Z",
  "published": "2026-04-09T17:34:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-68x5-xx89-w9mm"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: resolvedAuth closure becomes stale after config reload"
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.