Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

876 vulnerabilities reference this CWE, most recent first.

GHSA-77W8-QV8M-386H

Vulnerability from github – Published: 2022-05-17 04:31 – Updated: 2024-11-26 18:33
VLAI
Summary
OpenStack Keystone Domain-scoped tokens don't get revoked
Details

OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access via a domain-scoped token for that domain.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keystone"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.0a0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-5253"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-14T21:16:52Z",
    "nvd_published_at": "2014-08-25T14:55:00Z",
    "severity": "HIGH"
  },
  "details": "OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access via a domain-scoped token for that domain.",
  "id": "GHSA-77w8-qv8m-386h",
  "modified": "2024-11-26T18:33:23Z",
  "published": "2022-05-17T04:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-5253"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/keystone/commit/317f9d34b4da20c21edd5b851889298b67c843e1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/keystone/commit/3e035ebb726167aef43c4a865c7e7f7d3b0978fb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/keystone/commit/c4447f16da036fe878382ce4e1b05b84bdcc4d4e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/keystone/commit/cccc3f3239c68479de0f6a41bd64badf2a9ec9e7"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/keystone/+bug/1349597"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openstack/keystone"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2014-109.yaml"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-1121.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-1122.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/08/15/6"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2324-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenStack Keystone Domain-scoped tokens don\u0027t get revoked"
}

GHSA-79GG-W7M7-C3GC

Vulnerability from github – Published: 2025-04-24 00:31 – Updated: 2025-04-24 00:31
VLAI
Details

IBM InfoSphere Information 11.7 Server does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22351"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-23T23:15:15Z",
    "severity": "MODERATE"
  },
  "details": "IBM InfoSphere Information 11.7 Server does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.",
  "id": "GHSA-79gg-w7m7-c3gc",
  "modified": "2025-04-24T00:31:19Z",
  "published": "2025-04-24T00:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22351"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7229921"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-79HX-G43V-XFMR

Vulnerability from github – Published: 2023-03-21 06:30 – Updated: 2023-03-23 19:01
VLAI
Summary
Answer vulnerable to Insufficient Session Expiration
Details

Insufficient Session Expiration in GitHub repository answerdev/answer prior to 1.0.6.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/answerdev/answer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-1543"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-21T22:31:39Z",
    "nvd_published_at": "2023-03-21T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "Insufficient Session Expiration in GitHub repository answerdev/answer prior to 1.0.6.",
  "id": "GHSA-79hx-g43v-xfmr",
  "modified": "2023-03-23T19:01:37Z",
  "published": "2023-03-21T06:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1543"
    },
    {
      "type": "WEB",
      "url": "https://github.com/answerdev/answer/commit/cd742b75605c99776f32d271c0a60e0f468e181c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/answerdev/answer"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/f82388d6-dfc3-4fbc-bea6-eb40cf5b2683"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Answer vulnerable to Insufficient Session Expiration"
}

GHSA-79M4-GX9C-J55F

Vulnerability from github – Published: 2026-06-26 00:32 – Updated: 2026-06-26 00:32
VLAI
Details

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-54479"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T22:17:02Z",
    "severity": "MODERATE"
  },
  "details": "The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.",
  "id": "GHSA-79m4-gx9c-j55f",
  "modified": "2026-06-26T00:32:06Z",
  "published": "2026-06-26T00:32:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54479"
    },
    {
      "type": "WEB",
      "url": "https://evokesystems.com/contact-us"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-176-02.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-7F2F-4PM3-CV4P

Vulnerability from github – Published: 2021-12-09 00:00 – Updated: 2021-12-14 00:01
VLAI
Details

Mahavitaran android application 7.50 and prior are affected by account takeover due to improper OTP validation, allows remote attackers to control a users account.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-27416"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-08T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Mahavitaran android application 7.50 and prior are affected by account takeover due to improper OTP validation, allows remote attackers to control a users account.",
  "id": "GHSA-7f2f-4pm3-cv4p",
  "modified": "2021-12-14T00:01:31Z",
  "published": "2021-12-09T00:00:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27416"
    },
    {
      "type": "WEB",
      "url": "https://cvewalkthrough.com/cve-2021-41716-mahavitaran-android-application-account-take-over-via-otp-fixation"
    },
    {
      "type": "WEB",
      "url": "https://play.google.com/store/apps/details?id=com.msedcl.app\u0026hl=en\u0026gl=US"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-7FMW-85QM-H22P

Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2023-07-26 19:15
VLAI
Summary
Keycloak CSRF Vulnerability
Details

It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.keycloak:keycloak-parent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-12159"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-26T19:15:53Z",
    "nvd_published_at": "2017-10-26T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.",
  "id": "GHSA-7fmw-85qm-h22p",
  "modified": "2023-07-26T19:15:53Z",
  "published": "2022-05-13T01:38:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12159"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:2904"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:2905"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:2906"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1484111"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20210124113906/http://www.securityfocus.com/bid/101601"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Keycloak CSRF Vulnerability"
}

GHSA-7FXH-QXMW-7XH7

Vulnerability from github – Published: 2025-06-01 12:30 – Updated: 2025-06-01 12:30
VLAI
Details

IBM Planning Analytics Local 2.0 and 2.1 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-33005"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-01T12:15:25Z",
    "severity": "MODERATE"
  },
  "details": "IBM Planning Analytics Local 2.0 and 2.1 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system.",
  "id": "GHSA-7fxh-qxmw-7xh7",
  "modified": "2025-06-01T12:30:25Z",
  "published": "2025-06-01T12:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33005"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7235182"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7GGW-H8PP-R95R

Vulnerability from github – Published: 2021-02-10 02:32 – Updated: 2023-09-07 17:47
VLAI
Summary
October CMS Session ID not invalidated after logout
Details

Impact

When logging out, the session ID was not invalidated. This is not a problem while the user is logged out, but as soon as the user logs back in the old session ID would be valid again; which means that anyone that gained access to the old session cookie would be able to act as the logged in user. This is not a major concern for the majority of cases, since it requires a malicious party gaining access to the session cookie in the first place, but nevertheless has been fixed.

Patches

Issue has been patched in Build 472 (v1.0.472) and v1.1.2.

Workarounds

Apply https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024 to your installation manually if unable to upgrade to Build 472 or v1.1.2.

References

  • Reported by Anisio (Brazilian Information Security Analyst)
  • http://cve.circl.lu/cve/CVE-2021-3311

For more information

If you have any questions or comments about this advisory: * Email us at hello@octobercms.com

Threat assessment:

Screen Shot 2021-02-07 at 11 50 35 PM

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "october/rain"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.472"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "october/rain"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "1.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-3311"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-02-10T02:30:45Z",
    "nvd_published_at": "2021-02-05T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nWhen logging out, the session ID was not invalidated. This is not a problem while the user is logged out, but as soon as the user logs back in the old session ID would be valid again; which means that anyone that gained access to the old session cookie would be able to act as the logged in user. This is not a major concern for the majority of cases, since it requires a malicious party gaining access to the session cookie in the first place, but nevertheless has been fixed.\n\n### Patches\nIssue has been patched in Build 472 (v1.0.472) and v1.1.2.\n\n### Workarounds\nApply https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024 to your installation manually if unable to upgrade to Build 472 or v1.1.2.\n\n### References\n- Reported by Anisio (Brazilian Information Security Analyst)\n- http://cve.circl.lu/cve/CVE-2021-3311\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [hello@octobercms.com](mailto:hello@octobercms.com)\n\n### Threat assessment:\n\u003cimg width=\"699\" alt=\"Screen Shot 2021-02-07 at 11 50 35 PM\" src=\"https://user-images.githubusercontent.com/7253840/107180881-51eaf000-699f-11eb-8828-333128faf2a6.png\"\u003e",
  "id": "GHSA-7ggw-h8pp-r95r",
  "modified": "2023-09-07T17:47:26Z",
  "published": "2021-02-10T02:32:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/october/security/advisories/GHSA-7ggw-h8pp-r95r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3311"
    },
    {
      "type": "WEB",
      "url": "https://github.com/octobercms/library/commit/642f597489e6f644d4bd9a0c267e864cabead024"
    },
    {
      "type": "WEB",
      "url": "https://anisiosantos.me/october-cms-token-reactivation"
    },
    {
      "type": "WEB",
      "url": "https://octobercms.com/forum/chan/announcements"
    },
    {
      "type": "WEB",
      "url": "https://packagist.org/packages/october/rain"
    },
    {
      "type": "WEB",
      "url": "http://cve.circl.lu/cve/CVE-2021-3311"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "October CMS Session ID not invalidated after logout"
}

GHSA-7HGR-XVRR-XPW3

Vulnerability from github – Published: 2026-05-08 17:39 – Updated: 2026-05-08 17:39
VLAI
Summary
nhost has Session Persistence After Password Change
Details

Description

When a user changes their password, either through the authenticated password change endpoint or a password reset ticket, the ChangePassword workflow correctly hashes and persists the new password via UpdateUserChangePassword. However, it does not revoke existing sessions. The auth.refresh_tokens and auth.oauth2_refresh_tokens tables are left untouched, meaning all previously issued refresh tokens remain valid and can continue generating new access tokens indefinitely.

This vulnerability affects all password change paths (handled in change_user_password.go), since they share the same underlying workflow:

  • Authenticated password change via the Nhost dashboard or client SDK
  • Ticket-based password reset (magic links / recovery flows)
  • OAuth2/OIDC sessions managed via auth.oauth2_refresh_tokens

Attack Scenario

  1. An attacker steals a victim's refresh token via XSS or a compromised device.
  2. The victim changes their password, expecting it to terminate all active sessions.
  3. The server updates password_hash but performs no session cleanup, the stolen token remains fully functional.

Impact

The attacker retains persistent access even after the victim's password change. This is especially severe in credential theft scenarios, where the victim's only recovery action does nothing against an active session. Depending on configured TTL, the attacker's window could be days or weeks.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nhost/nhost"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260430132514-52c70664a7e9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T17:39:48Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "## Description\n\nWhen a user changes their password, either through the authenticated password change endpoint or a password reset ticket, the [`ChangePassword`](https://github.com/nhost/nhost/blob/main/services/auth/go/controller/workflows.go#L731-L759) workflow correctly hashes and persists the new password via [`UpdateUserChangePassword`](https://github.com/nhost/nhost/blob/main/services/auth/go/sql/query.sql#L314-L318). However, it does not revoke existing sessions. The `auth.refresh_tokens` and `auth.oauth2_refresh_tokens` tables are left untouched, meaning all previously issued refresh tokens remain valid and can continue generating new access tokens indefinitely.\n\nThis vulnerability affects all password change paths (handled in [`change_user_password.go`](https://github.com/nhost/nhost/blob/main/services/auth/go/controller/change_user_password.go)), since they share the same underlying workflow:\n\n- Authenticated password change via the Nhost dashboard or client SDK\n- Ticket-based password reset (magic links / recovery flows)\n- OAuth2/OIDC sessions managed via `auth.oauth2_refresh_tokens`\n\n## Attack Scenario\n\n1. An attacker steals a victim\u0027s refresh token via XSS or a compromised device.\n2. The victim changes their password, expecting it to terminate all active sessions.\n3. The server updates `password_hash` but performs no session cleanup, the stolen token remains fully functional.\n\n## Impact\n\nThe attacker retains persistent access even after the victim\u0027s password change. This is especially severe in credential theft scenarios, where the victim\u0027s only recovery action does nothing against an active session. Depending on configured TTL, the attacker\u0027s window could be days or weeks.",
  "id": "GHSA-7hgr-xvrr-xpw3",
  "modified": "2026-05-08T17:39:48Z",
  "published": "2026-05-08T17:39:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nhost/nhost/security/advisories/GHSA-7hgr-xvrr-xpw3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nhost/nhost/commit/52c70664a7e92031e592b873471939b10ca18079"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nhost/nhost"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "nhost has Session Persistence After Password Change"
}

GHSA-7HW8-6Q6R-4276

Vulnerability from github – Published: 2026-06-19 21:17 – Updated: 2026-06-19 21:17
VLAI
Summary
Langflow: Logout button does not clear session
Details

Summary

The logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in.

Details

Not in auto login mode. Hosted on localhost. access_token_lf remains present in both Local Storage and Cookies. refresh_token_lf remains present in Cookies.

Root cause: the /logout endpoint deleted the authentication cookies without matching the original httponly/samesite/secure/domain parameters, so the browser kept them; additionally the frontend did not clear the auth cookies on logout.

LANGFLOW_AUTO_LOGIN: "False"
LANGFLOW_SUPERUSER: <set>
LANGFLOW_SUPERUSER_PASSWORD: <set>
LANGFLOW_SECRET_KEY: <set>
LANGFLOW_NEW_USER_IS_ACTIVE: "False"
LANGFLOW_ENABLE_SUPERUSER_CLI: "False"

PoC

Click Logout. Hit refresh to return to previous screen.

Impact

Users on shared computers may falsely believe they have terminated their session.

Patches

Fixed in 1.7.0 (PRs #10527 and #10528). The logout endpoint now deletes the auth cookies using the same parameters they were created with, and the frontend clears the auth cookies on logout. Upgrade to 1.7.0 or later.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 1.7.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "langflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55423"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:17:01Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in.\n\n### Details\nNot in auto login mode. Hosted on localhost. `access_token_lf` remains present in both Local Storage and Cookies. `refresh_token_lf` remains present in Cookies.\n\n**Root cause:** the `/logout` endpoint deleted the authentication cookies without matching the original `httponly`/`samesite`/`secure`/`domain` parameters, so the browser kept them; additionally the frontend did not clear the auth cookies on logout.\n\n```\nLANGFLOW_AUTO_LOGIN: \"False\"\nLANGFLOW_SUPERUSER: \u003cset\u003e\nLANGFLOW_SUPERUSER_PASSWORD: \u003cset\u003e\nLANGFLOW_SECRET_KEY: \u003cset\u003e\nLANGFLOW_NEW_USER_IS_ACTIVE: \"False\"\nLANGFLOW_ENABLE_SUPERUSER_CLI: \"False\"\n```\n\n### PoC\nClick Logout. Hit refresh to return to previous screen.\n\n### Impact\nUsers on shared computers may falsely believe they have terminated their session.\n\n### Patches\nFixed in **1.7.0** (PRs #10527 and #10528). The logout endpoint now deletes the auth cookies using the same parameters they were created with, and the frontend clears the auth cookies on logout. Upgrade to **1.7.0 or later**.",
  "id": "GHSA-7hw8-6q6r-4276",
  "modified": "2026-06-19T21:17:01Z",
  "published": "2026-06-19T21:17:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-7hw8-6q6r-4276"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/pull/10527"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/pull/10528"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langflow-ai/langflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Langflow: Logout button does not clear session"
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.