Common Weakness Enumeration

CWE-613

Allowed-with-Review

Insufficient Session Expiration

Abstraction: Base · Status: Incomplete

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

875 vulnerabilities reference this CWE, most recent first.

GHSA-Q95V-68H8-44X6

Vulnerability from github – Published: 2023-10-29 03:30 – Updated: 2023-10-29 03:30
VLAI
Details

Insufficient Session Expiration in GitHub repository linkstackorg/linkstack prior to v4.2.9.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-5838"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-29T01:15:41Z",
    "severity": "MODERATE"
  },
  "details": "Insufficient Session Expiration in GitHub repository linkstackorg/linkstack prior to v4.2.9.",
  "id": "GHSA-q95v-68h8-44x6",
  "modified": "2023-10-29T03:30:30Z",
  "published": "2023-10-29T03:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5838"
    },
    {
      "type": "WEB",
      "url": "https://github.com/linkstackorg/linkstack/commit/02f620092255f07e1d0252a0190fd42ef773ba05"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/8f6feca3-386d-4897-801c-39b9e3e5eb03"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QC92-5V9V-HH5W

Vulnerability from github – Published: 2026-02-27 00:31 – Updated: 2026-03-05 21:30
VLAI
Details

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25711"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-27T00:16:57Z",
    "severity": "HIGH"
  },
  "details": "The WebSocket backend uses charging station identifiers to uniquely \nassociate sessions but allows multiple endpoints to connect using the \nsame session identifier. This implementation results in predictable \nsession identifiers and enables session hijacking or shadowing, where \nthe most recent connection displaces the legitimate charging station and\n receives backend commands intended for that station. This vulnerability\n may allow unauthorized users to authenticate as other users or enable a\n malicious actor to cause a denial-of-service condition by overwhelming \nthe backend with valid session requests.",
  "id": "GHSA-qc92-5v9v-hh5w",
  "modified": "2026-03-05T21:30:27Z",
  "published": "2026-02-27T00:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25711"
    },
    {
      "type": "WEB",
      "url": "https://chargemap.com/en-us/support"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-05.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-QHMC-3MVR-F2J4

Vulnerability from github – Published: 2025-12-15 15:30 – Updated: 2026-06-05 14:34
VLAI
Summary
django-allauth does not reject access tokens for inactive users
Details

An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "django-allauth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "65.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-65430"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-16T19:33:33Z",
    "nvd_published_at": "2025-12-15T14:15:57Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected.",
  "id": "GHSA-qhmc-3mvr-f2j4",
  "modified": "2026-06-05T14:34:45Z",
  "published": "2025-12-15T15:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65430"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pennersr/django-allauth/commit/39f4a4ce9c891795b00914ca5ec32de72d5369c0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pennersr/django-allauth/commit/c54edf947c5a1c8c4ff3cddb75c86000ecb2507d"
    },
    {
      "type": "WEB",
      "url": "https://allauth.org/news/2025/10/django-allauth-65.13.0-released"
    },
    {
      "type": "PACKAGE",
      "url": "https://codeberg.org/allauth/django-allauth"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-allauth/PYSEC-2025-110.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "django-allauth does not reject access tokens for inactive users"
}

GHSA-QPPM-G56G-FPVP

Vulnerability from github – Published: 2026-01-20 18:58 – Updated: 2026-01-21 21:11
VLAI
Summary
Turbo Frame responses can restore stale session cookies
Details

Summary

A race condition in Turbo Frames allows delayed HTTP responses to restore stale session cookies after session-modifying operations.

Details

Browsers automatically process Set-Cookie headers from HTTP responses. When a Turbo Frame request is in-flight during a session-modifying action (such as logout), the delayed response may include a Set-Cookie header reflecting the session state at request time. This can result in stale session cookies being restored after the session was intentionally modified or invalidated.

This condition can occur naturally on slow networks. An active network attacker capable of delaying responses could potentially exploit this to restore previous session state.

### Impact Applications using Turbo Frames with cookie-based session storage may experience: - Session state reversion after logout - Unintended restoration of previous authentication state

The impact is limited to applications using client-side cookie storage for sessions. Applications using server-side session stores (Redis, database, etc.) are not meaningfully affected, as the server-side session state remains authoritative.

Patches

Upgrade to Turbo 8.0.21 or later. The fix cancels in-flight Turbo Frame requests when: - The frame element is disconnected from the DOM - The frame's disabled attribute is set - The frame's src attribute is cleared

Workarounds

  • Use server-side session storage instead of a cookie store like Rails's cookie store
  • Ensure logout flows remove or disable Turbo Frame elements before invalidating sessions

References

  • https://github.com/hotwired/turbo/pull/1399
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.0.20"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@hotwired/turbo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.0.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-367",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-20T18:58:15Z",
    "nvd_published_at": "2026-01-20T19:15:49Z",
    "severity": "LOW"
  },
  "details": "###  Summary\nA race condition in Turbo Frames allows delayed HTTP responses to restore stale session cookies after session-modifying operations.\n\n### Details\nBrowsers automatically process Set-Cookie headers from HTTP responses. When a Turbo Frame request is in-flight during a session-modifying action (such as logout), the delayed response may include a Set-Cookie header reflecting the session state at request time. This can result in stale session cookies being restored after the session was intentionally modified or invalidated.\n\nThis condition can occur naturally on slow networks. An active network attacker capable of delaying responses could potentially exploit this to restore previous session state.\n\n  ### Impact\n Applications using Turbo Frames with cookie-based session storage may experience:\n  - Session state reversion after logout\n  - Unintended restoration of previous authentication state\n\nThe impact is limited to applications using client-side cookie storage for sessions. Applications using server-side session stores (Redis, database, etc.) are not meaningfully affected, as the server-side session state remains authoritative.\n\n###  Patches\n  Upgrade to Turbo 8.0.21 or later. The fix cancels in-flight Turbo Frame requests when:\n  - The frame element is disconnected from the DOM\n  - The frame\u0027s disabled attribute is set\n  - The frame\u0027s src attribute is cleared\n\n###  Workarounds\n  - Use server-side session storage instead of a cookie store like Rails\u0027s cookie store\n  - Ensure logout flows remove or disable Turbo Frame elements before invalidating sessions\n\n###  References\n  - https://github.com/hotwired/turbo/pull/1399",
  "id": "GHSA-qppm-g56g-fpvp",
  "modified": "2026-01-21T21:11:06Z",
  "published": "2026-01-20T18:58:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hotwired/turbo/security/advisories/GHSA-qppm-g56g-fpvp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66803"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hotwired/turbo/pull/1399"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hotwired/turbo/commit/899df356e9f4b3303cca217cd14b3f846edda10d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hotwired/turbo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hotwired/turbo/releases/tag/v8.0.21"
    },
    {
      "type": "WEB",
      "url": "https://turbo.hotwired.dev/handbook/frames"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Turbo Frame responses can restore stale session cookies"
}

GHSA-QQ8M-9RPX-W2FM

Vulnerability from github – Published: 2023-08-06 03:30 – Updated: 2023-08-09 14:30
VLAI
Summary
Admidio Insufficient Session Expiration vulnerability
Details

Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.2.11. This vulnerability allows a user's session to remain valid even after the user has logged out, potentially granting unauthorized access to sensitive areas and functionalities.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "admidio/admidio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.2.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-4190"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-09T14:30:23Z",
    "nvd_published_at": "2023-08-06T01:15:10Z",
    "severity": "MODERATE"
  },
  "details": "Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.2.11. This vulnerability allows a user\u0027s session to remain valid even after the user has logged out, potentially granting unauthorized access to sensitive areas and functionalities.",
  "id": "GHSA-qq8m-9rpx-w2fm",
  "modified": "2023-08-09T14:30:23Z",
  "published": "2023-08-06T03:30:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4190"
    },
    {
      "type": "WEB",
      "url": "https://github.com/admidio/admidio/commit/391fb2af5bee641837a58e7dd66ff76eac92bb74"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/admidio/admidio"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/71bc75d2-320c-4332-ad11-9de535a06d92"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Admidio Insufficient Session Expiration vulnerability"
}

GHSA-QQFM-8GGF-XPCH

Vulnerability from github – Published: 2022-05-07 00:00 – Updated: 2022-05-17 00:00
VLAI
Details

HCL Commerce is affected by an Insufficient Session Expiration vulnerability. After the session expires, in some circumstances, parts of the application are still accessible.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27751"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-06T18:15:00Z",
    "severity": "LOW"
  },
  "details": "HCL Commerce is affected by an Insufficient Session Expiration vulnerability. After the session expires, in some circumstances, parts of the application are still accessible.",
  "id": "GHSA-qqfm-8ggf-xpch",
  "modified": "2022-05-17T00:00:53Z",
  "published": "2022-05-07T00:00:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27751"
    },
    {
      "type": "WEB",
      "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0097650"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QRFJ-W3WQ-P623

Vulnerability from github – Published: 2025-04-01 18:30 – Updated: 2025-04-01 21:31
VLAI
Details

A session management flaw in Nagios Network Analyzer 2024R1.0.3 allows an attacker to reuse session tokens even after a user logs out, leading to unauthorized access and account takeover. This occurs due to insufficient session expiration, where session tokens remain valid beyond logout, allowing an attacker to impersonate users and perform actions on their behalf.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-28132"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-01T17:15:46Z",
    "severity": "MODERATE"
  },
  "details": "A session management flaw in Nagios Network Analyzer 2024R1.0.3 allows an attacker to reuse session tokens even after a user logs out, leading to unauthorized access and account takeover. This occurs due to insufficient session expiration, where session tokens remain valid beyond logout, allowing an attacker to impersonate users and perform actions on their behalf.",
  "id": "GHSA-qrfj-w3wq-p623",
  "modified": "2025-04-01T21:31:27Z",
  "published": "2025-04-01T18:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-28132"
    },
    {
      "type": "WEB",
      "url": "https://github.com/harshal79/Insufficient-Session-Expiration.git"
    },
    {
      "type": "WEB",
      "url": "https://www.nagios.com/changelog/#network-analyzer"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QRV8-99H7-2C7V

Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13
VLAI
Details

An insufficient session expiration vulnerability exists in the "Fish | Hunt FL" iOS app version 3.8.0 and earlier, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33982"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-08T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "An insufficient session expiration vulnerability exists in the \"Fish | Hunt FL\" iOS app version 3.8.0 and earlier, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions.",
  "id": "GHSA-qrv8-99h7-2c7v",
  "modified": "2022-05-24T19:13:20Z",
  "published": "2022-05-24T19:13:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33982"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/p4lsec/1f024d96b44ea733cdae0605c7ce8a49"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-QW2F-33VP-25MQ

Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16
VLAI
Details

An insufficient session expiration vulnerability [CWE- 613] in FortiClientEMS versions 6.4.2 and below, 6.2.8 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-24019"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-613"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-06T10:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An insufficient session expiration vulnerability [CWE- 613] in FortiClientEMS versions 6.4.2 and below, 6.2.8 and below may allow an attacker to reuse the unexpired admin user session IDs to gain admin privileges, should the attacker be able to obtain that session ID (via other, hypothetical attacks)",
  "id": "GHSA-qw2f-33vp-25mq",
  "modified": "2022-05-24T19:16:50Z",
  "published": "2022-05-24T19:16:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24019"
    },
    {
      "type": "WEB",
      "url": "https://fortiguard.com/advisory/FG-IR-20-072"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-QWRJ-9HMP-GPXH

Vulnerability from github – Published: 2022-07-15 18:10 – Updated: 2023-02-09 20:22
VLAI
Summary
FlyteAdmin Insufficient AccessToken Expiration Check
Details

Impact

Authenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire. Using flyteadmin as the OAuth2 Authorization Server is unaffected by this issue.

Patches

1.1.30

Workarounds

Rotating signing keys immediately will: * Invalidate all open sessions, * Force all users to attempt to obtain new tokens.

Continue to rotate keys until flyteadmin has been upgraded,

Hide flyteadmin deployment ingress url from the internet.

References

https://github.com/flyteorg/flyteadmin/pull/455

For more information

If you have any questions or comments about this advisory: * Open an issue in flyte repo * Email us at flyte

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/flyteorg/flyteadmin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31145"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-298",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-15T18:10:48Z",
    "nvd_published_at": "2022-07-13T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nAuthenticated users using an external identity provider can continue to use Access Tokens and ID Tokens even after they expire.\nUsing flyteadmin as the OAuth2 Authorization Server is unaffected by this issue.\n\n### Patches\n1.1.30\n\n### Workarounds\nRotating signing keys immediately will:\n* Invalidate all open sessions,\n* Force all users to attempt to obtain new tokens.\n\nContinue to rotate keys until flyteadmin has been upgraded,\n\nHide flyteadmin deployment ingress url from the internet.\n\n### References\nhttps://github.com/flyteorg/flyteadmin/pull/455\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [flyte repo](https://github.com/flyteorg/flyte/issues)\n* Email us at [flyte](mailto:admin@flyte.org)\n",
  "id": "GHSA-qwrj-9hmp-gpxh",
  "modified": "2023-02-09T20:22:10Z",
  "published": "2022-07-15T18:10:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/flyteorg/flyteadmin/security/advisories/GHSA-qwrj-9hmp-gpxh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31145"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flyteorg/flyteadmin/pull/455"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flyteorg/flyteadmin/commit/a1ec282d02706e074bc4986fd0412e5da3b9d00a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/flyteorg/flyteadmin"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flyteorg/flyteadmin/releases/tag/v1.1.31"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0519"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FlyteAdmin Insufficient AccessToken Expiration Check"
}

Mitigation
Implementation

Set sessions/credentials expiration date.

No CAPEC attack patterns related to this CWE.