Common Weakness Enumeration
CWE-613
Allowed-with-ReviewInsufficient Session Expiration
Abstraction: Base · Status: Incomplete
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
875 vulnerabilities reference this CWE, most recent first.
CVE-2026-24472 (GCVE-0-2026-24472)
Vulnerability from cvelistv5 – Published: 2026-01-27 19:34 – Updated: 2026-01-27 20:52
VLAI
EPSS
VEX
Title
Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception
Summary
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as `Cache-Control: private` or `Cache-Control: no-store`, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users. Version 4.11.7 has a patch for the issue.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/honojs/hono/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/honojs/hono/commit/12c511745b3… | x_refsource_MISC |
| https://github.com/honojs/hono/releases/tag/v4.11.7 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24472",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T20:36:35.704091Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T20:52:05.494Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "hono",
"vendor": "honojs",
"versions": [
{
"status": "affected",
"version": "\u003c 4.11.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as `Cache-Control: private` or `Cache-Control: no-store`, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users. Version 4.11.7 has a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-524",
"description": "CWE-524: Use of Cache Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T19:34:33.065Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/honojs/hono/security/advisories/GHSA-6wqw-2p9w-4vw4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/honojs/hono/security/advisories/GHSA-6wqw-2p9w-4vw4"
},
{
"name": "https://github.com/honojs/hono/commit/12c511745b3f1e7a3f863a23ce5f921c7fa805d1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/honojs/hono/commit/12c511745b3f1e7a3f863a23ce5f921c7fa805d1"
},
{
"name": "https://github.com/honojs/hono/releases/tag/v4.11.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/honojs/hono/releases/tag/v4.11.7"
}
],
"source": {
"advisory": "GHSA-6wqw-2p9w-4vw4",
"discovery": "UNKNOWN"
},
"title": "Hono cache middleware ignores \"Cache-Control: private\" leading to Web Cache Deception"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24472",
"datePublished": "2026-01-27T19:34:33.065Z",
"dateReserved": "2026-01-23T00:38:20.547Z",
"dateUpdated": "2026-01-27T20:52:05.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22706 (GCVE-0-2026-22706)
Vulnerability from cvelistv5 – Published: 2026-05-14 18:38 – Updated: 2026-05-15 14:52
VLAI
EPSS
VEX
Title
Strapi: Password Reset Does Not Revoke Existing Refresh Sessions
Summary
Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the user's existing refresh-token sessions by default. The refresh-token invalidation step in the users-permissions and admin authentication controllers was conditional on a caller-supplied `deviceId`. When a password change or reset request did not include a `deviceId`, no refresh tokens were revoked, leaving every prior session active. An attacker who had previously obtained a refresh token could continue minting new access tokens after the legitimate user reset their password, allowing persistent unauthorized access for the lifetime of the refresh token (up to 30 days by default). Rotating credentials no longer terminated an active attacker session, defeating password reset as a containment measure. The patch in version 5.33.3 invalidates all refresh tokens associated with the user on every password change and password reset, regardless of whether a `deviceId` is supplied. A new device-scoped session is then issued to the caller as part of the response.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/strapi/strapi/security/advisor… | x_refsource_CONFIRM |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| strapi | strapi |
Affected:
< 5.33.3
|
|
| strapi | @strapi/admin |
Affected:
< 5.33.3
|
|
| strapi | @strapi/plugin-users-permissions |
Affected:
< 5.33.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22706",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-15T14:50:52.300520Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T14:52:06.866Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "strapi",
"vendor": "strapi",
"versions": [
{
"status": "affected",
"version": "\u003c 5.33.3"
}
]
},
{
"product": "@strapi/admin",
"vendor": "strapi",
"versions": [
{
"status": "affected",
"version": "\u003c 5.33.3"
}
]
},
{
"product": "@strapi/plugin-users-permissions",
"vendor": "strapi",
"versions": [
{
"status": "affected",
"version": "\u003c 5.33.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user\u0027s password did not invalidate the user\u0027s existing refresh-token sessions by default. The refresh-token invalidation step in the users-permissions and admin authentication controllers was conditional on a caller-supplied `deviceId`. When a password change or reset request did not include a `deviceId`, no refresh tokens were revoked, leaving every prior session active. An attacker who had previously obtained a refresh token could continue minting new access tokens after the legitimate user reset their password, allowing persistent unauthorized access for the lifetime of the refresh token (up to 30 days by default). Rotating credentials no longer terminated an active attacker session, defeating password reset as a containment measure. The patch in version 5.33.3 invalidates all refresh tokens associated with the user on every password change and password reset, regardless of whether a `deviceId` is supplied. A new device-scoped session is then issued to the caller as part of the response."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T18:38:26.745Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/strapi/strapi/security/advisories/GHSA-hvp3-26wx-g2w4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/strapi/strapi/security/advisories/GHSA-hvp3-26wx-g2w4"
}
],
"source": {
"advisory": "GHSA-hvp3-26wx-g2w4",
"discovery": "UNKNOWN"
},
"title": "Strapi: Password Reset Does Not Revoke Existing Refresh Sessions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22706",
"datePublished": "2026-05-14T18:38:26.745Z",
"dateReserved": "2026-01-08T19:23:09.857Z",
"dateUpdated": "2026-05-15T14:52:06.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21622 (GCVE-0-2026-21622)
Vulnerability from cvelistv5 – Published: 2026-03-05 21:18 – Updated: 2026-04-21 04:15
VLAI
EPSS
VEX
Title
Password Reset Tokens Do Not Expire
Summary
Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Accounts.PasswordReset' module) allows Account Takeover.
Password reset tokens generated via the "Reset your password" flow do not expire. When a user requests a password reset, Hex sends an email containing a reset link with a token. This token remains valid indefinitely until used. There is no time-based expiration enforced.
If a user's historical emails are exposed through a data breach (e.g., a leaked mailbox archive), any unused password reset email contained in that dataset could be used by an attacker to reset the victim's password. The attacker does not need current access to the victim's email account, only access to a previously leaked copy of the reset email.
This vulnerability is associated with program files lib/hexpm/accounts/password_reset.ex and program routines 'Elixir.Hexpm.Accounts.PasswordReset':can_reset?/3.
This issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before bb0e42091995945deef10556f58d046a52eb7884.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/hexpm/hexpm/security/advisorie… | vendor-advisoryrelated |
| https://cna.erlef.org/cves/CVE-2026-21622.html | related |
| https://osv.dev/vulnerability/EEF-CVE-2026-21622 | related |
| https://github.com/hexpm/hexpm/commit/bb0e4209199… | patch |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21622",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T14:35:49.366785Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T02:43:06.195Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com",
"cpes": [
"cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"modules": [
"\u0027Elixir.Hexpm.Accounts.PasswordReset\u0027"
],
"packageName": "hexpm/hexpm",
"packageURL": "pkg:github/hexpm/hexpm",
"product": "hexpm",
"programFiles": [
"lib/hexpm/accounts/password_reset.ex"
],
"programRoutines": [
{
"name": "\u0027Elixir.Hexpm.Accounts.PasswordReset\u0027:can_reset?/3"
}
],
"repo": "https://github.com/hexpm/hexpm.git",
"vendor": "hexpm",
"versions": [
{
"lessThan": "bb0e42091995945deef10556f58d046a52eb7884",
"status": "affected",
"version": "617e44c71f1dd9043870205f371d375c5c4d886d",
"versionType": "git"
}
]
},
{
"defaultStatus": "unaffected",
"product": "hex.pm",
"vendor": "hexpm",
"versions": [
{
"lessThan": "2026-03-05",
"status": "affected",
"version": "2025-08-01",
"versionType": "date"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hexpm:hexpm:*:*:*:*:*:*:*:*",
"versionEndExcluding": "bb0e42091995945deef10556f58d046a52eb7884",
"versionStartIncluding": "617e44c71f1dd9043870205f371d375c5c4d886d",
"vulnerable": true
}
],
"negate": false,
"operator": "AND"
}
],
"operator": "AND"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Lubas / Paraxial.io"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Jonatan M\u00e4nnchen / EEF"
},
{
"lang": "en",
"type": "remediation reviewer",
"value": "Eric Meadows-J\u00f6nsson / Hex.pm"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm (\u0027Elixir.Hexpm.Accounts.PasswordReset\u0027 module) allows Account Takeover.\u003cp\u003ePassword reset tokens generated via the \"Reset your password\" flow do not expire. When a user requests a password reset, Hex sends an email containing a reset link with a token. This token remains valid indefinitely until used. There is no time-based expiration enforced.\u003c/p\u003e\u003cp\u003eIf a user\u0027s historical emails are exposed through a data breach (e.g., a leaked mailbox archive), any unused password reset email contained in that dataset could be used by an attacker to reset the victim\u0027s password. The attacker does not need current access to the victim\u0027s email account, only access to a previously leaked copy of the reset email.\u003c/p\u003e\u003cp\u003eThis vulnerability is associated with program files \u003ctt\u003elib/hexpm/accounts/password_reset.ex\u003c/tt\u003e and program routines \u003ctt\u003e\u0027Elixir.Hexpm.Accounts.PasswordReset\u0027:can_reset?/3\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before bb0e42091995945deef10556f58d046a52eb7884.\u003c/p\u003e"
}
],
"value": "Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm (\u0027Elixir.Hexpm.Accounts.PasswordReset\u0027 module) allows Account Takeover.\n\nPassword reset tokens generated via the \"Reset your password\" flow do not expire. When a user requests a password reset, Hex sends an email containing a reset link with a token. This token remains valid indefinitely until used. There is no time-based expiration enforced.\n\nIf a user\u0027s historical emails are exposed through a data breach (e.g., a leaked mailbox archive), any unused password reset email contained in that dataset could be used by an attacker to reset the victim\u0027s password. The attacker does not need current access to the victim\u0027s email account, only access to a previously leaked copy of the reset email.\n\nThis vulnerability is associated with program files lib/hexpm/accounts/password_reset.ex and program routines \u0027Elixir.Hexpm.Accounts.PasswordReset\u0027:can_reset?/3.\n\nThis issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before bb0e42091995945deef10556f58d046a52eb7884."
}
],
"impacts": [
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21 Exploitation of Session Variables, Resource IDs and other Trusted Credentials"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T04:15:20.750Z",
"orgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"shortName": "EEF"
},
"references": [
{
"tags": [
"vendor-advisory",
"related"
],
"url": "https://github.com/hexpm/hexpm/security/advisories/GHSA-6r94-pvwf-mxqm"
},
{
"tags": [
"related"
],
"url": "https://cna.erlef.org/cves/CVE-2026-21622.html"
},
{
"tags": [
"related"
],
"url": "https://osv.dev/vulnerability/EEF-CVE-2026-21622"
},
{
"tags": [
"patch"
],
"url": "https://github.com/hexpm/hexpm/commit/bb0e42091995945deef10556f58d046a52eb7884"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Password Reset Tokens Do Not Expire",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUsers who suspect email exposure should:\u003c/p\u003e\u003cul\u003e\u003cli\u003eImmediately reset their password.\u003c/li\u003e\u003cli\u003eEnable and enforce 2FA.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThere is no complete mitigation without implementing token expiration.\u003c/p\u003e"
}
],
"value": "Users who suspect email exposure should:\n\n* Immediately reset their password.\n* Enable and enforce 2FA.\n\nThere is no complete mitigation without implementing token expiration."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b3ad84c-e1a6-4bf7-a703-f496b71e49db",
"assignerShortName": "EEF",
"cveId": "CVE-2026-21622",
"datePublished": "2026-03-05T21:18:03.883Z",
"dateReserved": "2026-01-01T03:46:45.934Z",
"dateUpdated": "2026-04-21T04:15:20.750Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20895 (GCVE-0-2026-20895)
Vulnerability from cvelistv5 – Published: 2026-02-26 23:48 – Updated: 2026-03-05 20:10
VLAI
EPSS
VEX
Title
EV2GO ev2go.io Insufficient Session Expiration
Summary
The WebSocket backend uses charging station identifiers to uniquely
associate sessions but allows multiple endpoints to connect using the
same session identifier. This implementation results in predictable
session identifiers and enables session hijacking or shadowing, where
the most recent connection displaces the legitimate charging station and
receives backend commands intended for that station. This vulnerability
may allow unauthorized users to authenticate as other users or enable a
malicious actor to cause a denial-of-service condition by overwhelming
the backend with valid session requests.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-02T20:37:39.966119Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-02T20:37:46.473Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ev2go.io",
"vendor": "EV2GO",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The WebSocket backend uses charging station identifiers to uniquely \nassociate sessions but allows multiple endpoints to connect using the \nsame session identifier. This implementation results in predictable \nsession identifiers and enables session hijacking or shadowing, where \nthe most recent connection displaces the legitimate charging station and\n receives backend commands intended for that station. This vulnerability\n may allow unauthorized users to authenticate as other users or enable a\n malicious actor to cause a denial-of-service condition by overwhelming \nthe backend with valid session requests."
}
],
"value": "The WebSocket backend uses charging station identifiers to uniquely \nassociate sessions but allows multiple endpoints to connect using the \nsame session identifier. This implementation results in predictable \nsession identifiers and enables session hijacking or shadowing, where \nthe most recent connection displaces the legitimate charging station and\n receives backend commands intended for that station. This vulnerability\n may allow unauthorized users to authenticate as other users or enable a\n malicious actor to cause a denial-of-service condition by overwhelming \nthe backend with valid session requests."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T20:10:55.114Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://ev2go.io/"
},
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-04"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-04.json"
}
],
"source": {
"advisory": "ICSA-26-057-04",
"discovery": "EXTERNAL"
},
"title": "EV2GO ev2go.io Insufficient Session Expiration",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "EV2GO did not respond to CISA\u0027s request for coordination. Contact EV2GO \nusing their contact page here: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://ev2go.io/\"\u003ehttps://ev2go.io/\u003c/a\u003e for more information.\n\n\u003cbr\u003e"
}
],
"value": "EV2GO did not respond to CISA\u0027s request for coordination. Contact EV2GO \nusing their contact page here: https://ev2go.io/ for more information."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-20895",
"datePublished": "2026-02-26T23:48:03.827Z",
"dateReserved": "2026-02-23T23:41:36.739Z",
"dateUpdated": "2026-03-05T20:10:55.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-20748 (GCVE-0-2026-20748)
Vulnerability from cvelistv5 – Published: 2026-03-06 15:18 – Updated: 2026-03-10 17:59
VLAI
EPSS
VEX
Title
Everon api.everon.io Insufficient Session Expiration
Summary
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Everon | api.everon.io |
Affected:
All versions
(custom)
|
Date Public
2026-03-04 05:18
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-20748",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T17:48:57.951524Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T17:59:09.054Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "api.everon.io",
"vendor": "Everon",
"versions": [
{
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA."
}
],
"datePublic": "2026-03-04T05:18:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable\u0026nbsp;a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests."
}
],
"value": "The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable\u00a0a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T15:18:50.955Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-062-08"
},
{
"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-062-08.json"
}
],
"source": {
"advisory": "ICSA-26-062-08",
"discovery": "EXTERNAL"
},
"title": "Everon api.everon.io Insufficient Session Expiration",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Everon shut down their platform on December 1st, 2025."
}
],
"value": "Everon shut down their platform on December 1st, 2025."
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2026-20748",
"datePublished": "2026-03-06T15:18:50.955Z",
"dateReserved": "2026-02-25T15:28:27.138Z",
"dateUpdated": "2026-03-10T17:59:09.054Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
GCVE-1-2026-20139 (CVE-2026-63175)
Vulnerability from gna-1 – Published: 2026-07-15 21:26 – Updated: 2026-07-15 21:26
VLAI
EPSS
VEX
Title
Cross-Capture Session Data Leakage Due to Shared Mutable State in Looklyloo - PlaywrightCapture
Summary
PlaywrightCapture stored capture-specific configuration and runtime data as mutable class-level variables rather than instance-level variables. Consequently, multiple Capture objects running within the same Python process could share state, including HTTP headers, cookies, browser storage, HTTP credentials, proxy configuration, user-agent settings, geolocation information, and captured request data.
In a multi-user or concurrent deployment, information supplied during one capture could therefore persist and be reused by a subsequent or parallel capture. This could result in the disclosure of authentication cookies, credentials, browser storage, or captured request data belonging to another user. It could also cause requests to be performed with another capture's authentication context, headers, or proxy configuration, potentially enabling unauthorized access to remote resources or interference with other capture operations.
The vulnerability is resolved by initializing all capture-specific settings and request data as instance variables in the Capture constructor, ensuring that state is isolated between capture operations.
Severity
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Lookyloo/PlaywrightCapture/com… | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Lookyloo | PlaywrightCapture |
Affected:
0 , ≤ v1.40.2
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PlaywrightCapture",
"repo": "https://github.com/Lookyloo/PlaywrightCapture",
"vendor": "Lookyloo",
"versions": [
{
"lessThanOrEqual": "v1.40.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Raphael Vinot"
},
{
"lang": "en",
"type": "finder",
"value": "Aurelien Thirion"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003ePlaywrightCapture stored capture-specific configuration and runtime data as mutable class-level variables rather than instance-level variables. Consequently, multiple \u003ccode\u003eCapture\u003c/code\u003e objects running within the same Python process could share state, including HTTP headers, cookies, browser storage, HTTP credentials, proxy configuration, user-agent settings, geolocation information, and captured request data.\u003c/p\u003e\u003cp\u003eIn a multi-user or concurrent deployment, information supplied during one capture could therefore persist and be reused by a subsequent or parallel capture. This could result in the disclosure of authentication cookies, credentials, browser storage, or captured request data belonging to another user. It could also cause requests to be performed with another capture\u0027s authentication context, headers, or proxy configuration, potentially enabling unauthorized access to remote resources or interference with other capture operations.\u003c/p\u003e\u003cp\u003eThe vulnerability is resolved by initializing all capture-specific settings and request data as instance variables in the \u003ccode\u003eCapture\u003c/code\u003e constructor, ensuring that state is isolated between capture operations.\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "PlaywrightCapture stored capture-specific configuration and runtime data as mutable class-level variables rather than instance-level variables. Consequently, multiple Capture objects running within the same Python process could share state, including HTTP headers, cookies, browser storage, HTTP credentials, proxy configuration, user-agent settings, geolocation information, and captured request data.\n\nIn a multi-user or concurrent deployment, information supplied during one capture could therefore persist and be reused by a subsequent or parallel capture. This could result in the disclosure of authentication cookies, credentials, browser storage, or captured request data belonging to another user. It could also cause requests to be performed with another capture\u0027s authentication context, headers, or proxy configuration, potentially enabling unauthorized access to remote resources or interference with other capture operations.\n\nThe vulnerability is resolved by initializing all capture-specific settings and request data as instance variables in the Capture constructor, ensuring that state is isolated between capture operations."
}
],
"impacts": [
{
"capecId": "CAPEC-61",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-61 Session Fixation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/Lookyloo/PlaywrightCapture/commit/1e354b9d8566f49dbb331410be24c7c295645d43"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Cross-Capture Session Data Leakage Due to Shared Mutable State in Looklyloo - PlaywrightCapture",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"cveId": "CVE-2026-63175",
"datePublished": "2026-07-15T21:26:08.963556Z",
"dateReserved": "2026-07-15T21:26:19.040Z",
"dateUpdated": "2026-07-15T21:26:19.854643Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2026-20139"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-14725 (GCVE-0-2026-14725)
Vulnerability from cvelistv5 – Published: 2026-07-05 08:00 – Updated: 2026-07-07 02:46 X_Freeware
VLAI
EPSS
VEX
Title
SourceCodester Online Boat Reservation System session expiration
Summary
A vulnerability was identified in SourceCodester Online Boat Reservation System 1.0. Affected by this vulnerability is an unknown functionality. Such manipulation leads to session expiration. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-613 - Session Expiration
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/376311 | vdb-entry |
| https://vuldb.com/vuln/376311/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-14725 | third-party-advisory |
| https://vuldb.com/submit/847674 | third-party-advisory |
| https://medium.com/@hemantrajbhati5555/improper-s… | broken-linkexploit |
| https://www.sourcecodester.com/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SourceCodester | Online Boat Reservation System |
Affected:
1.0
cpe:2.3:a:sourcecodester:online_boat_reservation_system:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-14725",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-07T02:46:05.704992Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-07T02:46:18.393Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sourcecodester:online_boat_reservation_system:*:*:*:*:*:*:*:*"
],
"product": "Online Boat Reservation System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Hemant Raj Bhati (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in SourceCodester Online Boat Reservation System 1.0. Affected by this vulnerability is an unknown functionality. Such manipulation leads to session expiration. It is possible to launch the attack remotely. The exploit is publicly available and might be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-05T08:00:08.967Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-376311 | SourceCodester Online Boat Reservation System session expiration",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/376311"
},
{
"name": "VDB-376311 | CTI Indicators (IOB, IOC)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/376311/cti"
},
{
"name": "CVE-2026-14725 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-14725"
},
{
"name": "Submit #847674 | SourceCodester Online Boat Reservation System 1.0 Improper Session Invalidation",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/847674"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://medium.com/@hemantrajbhati5555/improper-session-invalidation-in-online-boat-reservation-system-using-php-acebd53a8ae7"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-07-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-04T10:11:36.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester Online Boat Reservation System session expiration"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-14725",
"datePublished": "2026-07-05T08:00:08.967Z",
"dateReserved": "2026-07-04T08:06:32.108Z",
"dateUpdated": "2026-07-07T02:46:18.393Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12796 (GCVE-0-2026-12796)
Vulnerability from cvelistv5 – Published: 2026-06-21 09:00 – Updated: 2026-06-22 18:12
VLAI
EPSS
VEX
Title
BerriAI litellm SSO Authentication Flow ui_sso.py get_redirect_response_from_openid session expiration
Summary
A vulnerability was identified in BerriAI litellm up to 1.82.2. This impacts the function get_redirect_response_from_openid of the file litellm/proxy/management_endpoints/ui_sso.py of the component SSO Authentication Flow. The manipulation leads to session expiration. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-613 - Session Expiration
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/372558 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/372558/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-12796 | third-party-advisory |
| https://vuldb.com/submit/811287 | third-party-advisory |
| https://gist.github.com/YLChen-007/5fa8af12e1b183… | exploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12796",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T18:07:39.063864Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T18:12:18.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*"
],
"modules": [
"SSO Authentication Flow"
],
"product": "litellm",
"vendor": "BerriAI",
"versions": [
{
"status": "affected",
"version": "1.82.0"
},
{
"status": "affected",
"version": "1.82.1"
},
{
"status": "affected",
"version": "1.82.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-c (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in BerriAI litellm up to 1.82.2. This impacts the function get_redirect_response_from_openid of the file litellm/proxy/management_endpoints/ui_sso.py of the component SSO Authentication Flow. The manipulation leads to session expiration. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-21T09:00:09.028Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-372558 | BerriAI litellm SSO Authentication Flow ui_sso.py get_redirect_response_from_openid session expiration",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/372558"
},
{
"name": "VDB-372558 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/372558/cti"
},
{
"name": "CVE-2026-12796 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-12796"
},
{
"name": "Submit #811287 | litellm \u003c= 1.82.2 Insufficient Session Expiration (CWE-613)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/811287"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/YLChen-007/5fa8af12e1b183674d7ca96d852fb697"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-20T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-20T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-20T19:17:33.000Z",
"value": "VulDB entry last update"
}
],
"title": "BerriAI litellm SSO Authentication Flow ui_sso.py get_redirect_response_from_openid session expiration"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-12796",
"datePublished": "2026-06-21T09:00:09.028Z",
"dateReserved": "2026-06-20T17:12:15.581Z",
"dateUpdated": "2026-06-22T18:12:18.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12772 (GCVE-0-2026-12772)
Vulnerability from cvelistv5 – Published: 2026-06-21 02:00 – Updated: 2026-06-22 17:20
VLAI
EPSS
VEX
Title
BerriAI litellm PROXY_ADMIN database API Key Generator login_utils.py authenticate_user session expiration
Summary
A security flaw has been discovered in BerriAI litellm up to 1.82.2. This impacts the function authenticate_user of the file litellm/proxy/auth/login_utils.py of the component PROXY_ADMIN database API Key Generator. Performing a manipulation results in session expiration. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-613 - Session Expiration
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/372514 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/372514/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-12772 | third-party-advisory |
| https://vuldb.com/submit/811281 | third-party-advisory |
| https://gist.github.com/YLChen-007/39ed709ce32243… | exploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12772",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-22T17:20:15.086018Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-22T17:20:24.396Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:litellm:litellm:*:*:*:*:*:*:*:*"
],
"modules": [
"PROXY_ADMIN database API Key Generator"
],
"product": "litellm",
"vendor": "BerriAI",
"versions": [
{
"status": "affected",
"version": "1.82.0"
},
{
"status": "affected",
"version": "1.82.1"
},
{
"status": "affected",
"version": "1.82.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-c (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in BerriAI litellm up to 1.82.2. This impacts the function authenticate_user of the file litellm/proxy/auth/login_utils.py of the component PROXY_ADMIN database API Key Generator. Performing a manipulation results in session expiration. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-21T02:00:08.882Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-372514 | BerriAI litellm PROXY_ADMIN database API Key Generator login_utils.py authenticate_user session expiration",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/372514"
},
{
"name": "VDB-372514 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/372514/cti"
},
{
"name": "CVE-2026-12772 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-12772"
},
{
"name": "Submit #811281 | litellm \u003c= 1.82.2 Insufficient Session Expiration (CWE-613)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/811281"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/YLChen-007/39ed709ce322431658a05b951e91f278"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-20T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-20T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-20T11:31:39.000Z",
"value": "VulDB entry last update"
}
],
"title": "BerriAI litellm PROXY_ADMIN database API Key Generator login_utils.py authenticate_user session expiration"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-12772",
"datePublished": "2026-06-21T02:00:08.882Z",
"dateReserved": "2026-06-20T09:26:23.462Z",
"dateUpdated": "2026-06-22T17:20:24.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9802 (GCVE-0-2026-9802)
Vulnerability from cvelistv5 – Published: 2026-05-28 04:47 – Updated: 2026-06-26 06:46
VLAI
EPSS
VEX
Title
Keycloak: keycloak: unauthorized account access via replayed refresh tokens after cluster restart
Summary
A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation.
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:25097 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:25098 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:30049 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:30050 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2026-9802 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2482467 | issue-trackingx_refsource_REDHAT |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.4 |
Unaffected:
26.4.13-1 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.4::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.4 |
Unaffected:
26.4-19 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.4::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.4.13 |
cpe:/a:redhat:build_keycloak:26.4::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.6 |
Unaffected:
26.6.3-3 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.6::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.6 |
Unaffected:
26.6-6 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.6::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.6.3 |
cpe:/a:redhat:build_keycloak:26.6::el9 |
Date Public
2026-05-28 04:10
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9802",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T13:00:17.958549Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T13:00:32.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-operator-bundle",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4.13-1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4-19",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4-19",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "unaffected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.4.13",
"vendor": "Red Hat"
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-operator-bundle",
"product": "Red Hat build of Keycloak 26.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.6.3-3",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.6-6",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat build of Keycloak 26.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.6-6",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "unaffected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.6.3",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Gyeongpyo Son for reporting this issue."
}
],
"datePublic": "2026-05-28T04:10:26.145Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user\u0027s refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim\u0027s account, potentially leading to information disclosure or privilege escalation."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Moderate"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T06:46:43.373Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2026:25097",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"name": "RHSA-2026:25098",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"name": "RHSA-2026:30049",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"name": "RHSA-2026:30050",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-9802"
},
{
"name": "RHBZ#2482467",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482467"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T04:01:03.837Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-28T04:10:26.145Z",
"value": "Made public."
}
],
"title": "Keycloak: keycloak: unauthorized account access via replayed refresh tokens after cluster restart",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-613: Insufficient Session Expiration"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-9802",
"datePublished": "2026-05-28T04:47:10.497Z",
"dateReserved": "2026-05-28T04:02:07.242Z",
"dateUpdated": "2026-06-26T06:46:43.373Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Implementation
Set sessions/credentials expiration date.
No CAPEC attack patterns related to this CWE.