CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
876 vulnerabilities reference this CWE, most recent first.
GHSA-G65H-35F3-X2W3
Vulnerability from github – Published: 2024-05-13 19:59 – Updated: 2024-05-14 20:04Summary
Currently session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The directus_session gets destroyed and the cookie gets deleted but if you captured the cookie value it will still work for the entire expiry time which is set to 1 day by default. Making it effectively a long lived unrevokable stateless token instead of the stateful session token it was meant to be.
When authenticating a session token JWT, Directus should also check whether the associated directus_session both still exists and has not expired (although the token should expire at the same time or before the session) to ensure leaked tokens are not valid indefinitely.
Steps to reproduce
- Copy the current session token from the cookie
- Refresh and or log out
- Use the saved session token to check if it is still valid
Impact
The lack of proper session expiration may improve the likely success of certain attacks. For example, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Incorrect token invalidation could allow an attacker to use the browser's history to access a Directus instance session previously accessed by the victim.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "directus"
},
"ranges": [
{
"events": [
{
"introduced": "10.10.0"
},
{
"fixed": "10.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-34709"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-13T19:59:39Z",
"nvd_published_at": "2024-05-14T15:39:31Z",
"severity": "MODERATE"
},
"details": "### Summary\nCurrently session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The `directus_session` gets destroyed and the cookie gets deleted but if you captured the cookie value it will still work for the entire expiry time which is set to 1 day by default. Making it effectively a long lived unrevokable stateless token instead of the stateful session token it was meant to be.\nWhen authenticating a session token JWT, Directus should also check whether the associated `directus_session` both still exists and has not expired (although the token should expire at the same time or before the session) to ensure leaked tokens are not valid indefinitely.\n\n## Steps to reproduce\n- Copy the current session token from the cookie\n- Refresh and or log out\n- Use the saved session token to check if it is still valid\n\n### Impact\nThe lack of proper session expiration may improve the likely success of certain attacks. For example, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Incorrect token invalidation could allow an attacker to use the browser\u0027s history to access a Directus instance session previously accessed by the victim.",
"id": "GHSA-g65h-35f3-x2w3",
"modified": "2024-05-14T20:04:30Z",
"published": "2024-05-13T19:59:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/directus/directus/security/advisories/GHSA-g65h-35f3-x2w3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34709"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/commit/a6172f8a6a0f31a6bf4305a090de172ebfb63bcf"
},
{
"type": "PACKAGE",
"url": "https://github.com/directus/directus"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Directus Lacks Session Tokens Invalidation"
}
GHSA-G692-X4M9-J29G
Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 could allow a local user to obtain sensitive information when a previous user has logged out of the system but neglected to close their browser. IBM X-Force ID: 110303.
{
"affected": [],
"aliases": [
"CVE-2016-0234"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-30T16:29:00Z",
"severity": "LOW"
},
"details": "IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 could allow a local user to obtain sensitive information when a previous user has logged out of the system but neglected to close their browser. IBM X-Force ID: 110303.",
"id": "GHSA-g692-x4m9-j29g",
"modified": "2022-05-13T01:38:51Z",
"published": "2022-05-13T01:38:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0234"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/110303"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21997687"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G72G-R7M4-9X4G
Vulnerability from github – Published: 2026-06-05 16:43 – Updated: 2026-06-12 19:24Summary
OAuth access and refresh tokens were not revoked when the user changed, reset, or recovered their password, leaving an attacker-issued OAuth grant valid after the user believed they had locked the attacker out.
Details
revokeAllOAuthTokensByUser in the users service was an empty stub being called from
passwordChange, passwordForgot, and passwordReset. It now delegates to
OAuthToken.revokeAllByUser(userId), which deletes the rows and invalidates the
related auth caches. All three reset/recovery flows now consistently revoke refresh
tokens (GHSA-r989-7g3j-wjhw), OAuth tokens (this advisory), and rotate
token_version.
Impact
Persistent unauthorized access through previously issued OAuth tokens after a documented security event (password change, forgot, or reset).
Credit
This issue was reported by @bugbunny-research.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.05.0"
},
"package": {
"ecosystem": "npm",
"name": "nocodb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.05.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53926"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-05T16:43:09Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nOAuth access and refresh tokens were not revoked when the user changed, reset, or\nrecovered their password, leaving an attacker-issued OAuth grant valid after the user\nbelieved they had locked the attacker out.\n\n### Details\n`revokeAllOAuthTokensByUser` in the users service was an empty stub being called from\n`passwordChange`, `passwordForgot`, and `passwordReset`. It now delegates to\n`OAuthToken.revokeAllByUser(userId)`, which deletes the rows and invalidates the\nrelated auth caches. All three reset/recovery flows now consistently revoke refresh\ntokens (GHSA-r989-7g3j-wjhw), OAuth tokens (this advisory), and rotate\n`token_version`.\n\n### Impact\nPersistent unauthorized access through previously issued OAuth tokens after a\ndocumented security event (password change, forgot, or reset).\n\n### Credit\nThis issue was reported by [@bugbunny-research](https://github.com/bugbunny-research).",
"id": "GHSA-g72g-r7m4-9x4g",
"modified": "2026-06-12T19:24:17Z",
"published": "2026-06-05T16:43:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nocodb/nocodb/security/advisories/GHSA-g72g-r7m4-9x4g"
},
{
"type": "PACKAGE",
"url": "https://github.com/nocodb/nocodb"
},
{
"type": "WEB",
"url": "https://github.com/nocodb/nocodb/releases/tag/2026.05.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "NocoDB: OAuth Tokens Persist Through Security Events"
}
GHSA-G785-R4R2-28QV
Vulnerability from github – Published: 2023-01-05 09:30 – Updated: 2023-01-11 03:30IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 221195.
{
"affected": [],
"aliases": [
"CVE-2022-22371"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-05T07:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.1 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 221195.",
"id": "GHSA-g785-r4r2-28qv",
"modified": "2023-01-11T03:30:19Z",
"published": "2023-01-05T09:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22371"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/221195"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6852461"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G797-R4R7-WP94
Vulnerability from github – Published: 2024-11-26 21:32 – Updated: 2024-11-26 21:32An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Long-lived connections could potentially bypass authentication controls, allowing unauthorized access to streaming results.
{
"affected": [],
"aliases": [
"CVE-2024-11668"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-26T19:15:22Z",
"severity": "MODERATE"
},
"details": "An issue has been discovered in GitLab CE/EE affecting all versions from 16.11 before 17.4.5, 17.5 before 17.5.3, and 17.6 before 17.6.1. Long-lived connections could potentially bypass authentication controls, allowing unauthorized access to streaming results.",
"id": "GHSA-g797-r4r7-wp94",
"modified": "2024-11-26T21:32:24Z",
"published": "2024-11-26T21:32:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11668"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/456922"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G7R3-JWHW-2WFV
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2023-08-23 17:58Microweber v1.1.18 is affected by no session expiry after log-out.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "microweber/microweber"
},
"versions": [
"1.1.18"
]
}
],
"aliases": [
"CVE-2020-23136"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-13T21:47:43Z",
"nvd_published_at": "2020-11-09T18:15:00Z",
"severity": "MODERATE"
},
"details": "Microweber v1.1.18 is affected by no session expiry after log-out.",
"id": "GHSA-g7r3-jwhw-2wfv",
"modified": "2023-08-23T17:58:02Z",
"published": "2022-05-24T17:33:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-23136"
},
{
"type": "WEB",
"url": "https://gist.github.com/virendratiwari03/0b0d161e1141fdd74122abbb02fefe17"
},
{
"type": "PACKAGE",
"url": "https://github.com/microweber/microweber"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Microweber Insufficient Session Expiry"
}
GHSA-G863-PP98-8M8M
Vulnerability from github – Published: 2024-11-23 15:32 – Updated: 2024-11-26 21:32IBM Watson Query on Cloud Pak for Data 1.8, 2.0, 2.1, 2.2 and IBM Db2 Big SQL on Cloud Pak for Data 7.3, 7.4, 7.5, and 7.6 could allow an authenticated user to obtain sensitive information due to insufficient session expiration.
{
"affected": [],
"aliases": [
"CVE-2024-35160"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-23T14:15:18Z",
"severity": "MODERATE"
},
"details": "IBM Watson Query on Cloud Pak for Data 1.8, 2.0, 2.1, 2.2\u00a0and IBM Db2 Big SQL on Cloud Pak for Data 7.3, 7.4, 7.5, and 7.6\u00a0could allow an authenticated user to obtain sensitive information due to insufficient session expiration.",
"id": "GHSA-g863-pp98-8m8m",
"modified": "2024-11-26T21:32:24Z",
"published": "2024-11-23T15:32:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35160"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7168703"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7176947"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GC2C-R5JF-WHF8
Vulnerability from github – Published: 2024-09-16 15:32 – Updated: 2024-09-16 15:32IBM Aspera Shares 1.0 through 1.10.0 PL3 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system.
{
"affected": [],
"aliases": [
"CVE-2024-38315"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-16T15:15:16Z",
"severity": "MODERATE"
},
"details": "IBM Aspera Shares 1.0 through 1.10.0 PL3 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system.",
"id": "GHSA-gc2c-r5jf-whf8",
"modified": "2024-09-16T15:32:46Z",
"published": "2024-09-16T15:32:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38315"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/294742"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7168379"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-GF6W-7F3P-CMX4
Vulnerability from github – Published: 2026-04-07 15:30 – Updated: 2026-04-07 15:30An issue that could prevent session inactivity timeouts from triggering due to automatic page reloading has been resolved. This is an instance of CWE-613: Insufficient Control of Resources After Expiration or Release, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N (5.9 Medium). This issue was fixed in version 4.0.260203.0 of the runZero Platform.
{
"affected": [],
"aliases": [
"CVE-2026-5376"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-07T15:17:47Z",
"severity": "MODERATE"
},
"details": "An issue that could prevent session inactivity timeouts from triggering due to automatic page reloading has been resolved. This is an instance of CWE-613: Insufficient Control of Resources After Expiration or Release, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N (5.9 Medium). This issue was fixed in version 4.0.260203.0 of the runZero Platform.",
"id": "GHSA-gf6w-7f3p-cmx4",
"modified": "2026-04-07T15:30:52Z",
"published": "2026-04-07T15:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5376"
},
{
"type": "WEB",
"url": "https://help.runzero.com/docs/release-notes/#402602030"
},
{
"type": "WEB",
"url": "https://www.runzero.com/advisories/runzero-platform-session-timeout-failure-cve-2026-5376"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GGCF-HWXP-RC77
Vulnerability from github – Published: 2023-08-03 06:30 – Updated: 2023-08-03 16:42Insufficient Session Expiration in GitHub repository answerdev/answer prior to v1.1.0.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/answerdev/answer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-4126"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-03T16:42:38Z",
"nvd_published_at": "2023-08-03T04:15:11Z",
"severity": "MODERATE"
},
"details": "Insufficient Session Expiration in GitHub repository answerdev/answer prior to v1.1.0.",
"id": "GHSA-ggcf-hwxp-rc77",
"modified": "2023-08-03T16:42:38Z",
"published": "2023-08-03T06:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4126"
},
{
"type": "WEB",
"url": "https://github.com/answerdev/answer/commit/4f468b58d0dea51290bfbdd3e96332b0014c8730"
},
{
"type": "PACKAGE",
"url": "https://github.com/answerdev/answer"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/7f50bf1c-bcb9-46ca-8cec-211493d280c5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Answer Insufficient Session Expiration vulnerability"
}
Mitigation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.