CWE-613

Insufficient Session Expiration

Parent: CWE-672 - Operation on a Resource after Expiration or Release

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

509 vulnerabilities with CWE-613
CVE-2026-42421 MEDIUM
OpenClaw < 2026.4.8 - WebSocket Session Persistence via Shared Gateway Token Rotation
CVSS 5.4
CVE-2026-41916 MEDIUM
OpenClaw < 2026.4.8 - Stale Authentication State via Config Reload
CVSS 5.4
CVE-2026-25720 MEDIUM
SenseLive X3050 Insufficient session expiration
CVSS 5.4
CVE-2026-41356 MEDIUM
OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate
CVSS 5.4
CVE-2026-1272 LOW
IBM Guardium Data Protection is affected by multiple vulnerabilities
CVSS 2.7
CVE-2026-6515 MEDIUM
Insufficient Session Expiration in GitLab
CVSS 5.4
CVE-2026-6848 MEDIUM
Quay: red hat quay: authentication bypass allows privileged actions without valid credentials
CVSS 5.4
CVE-2026-41133 HIGH
pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)
CVSS 8.8
CVE-2026-40939 MEDIUM
DSF: Missing Session Timeout for OIDC Sessions
CVE-2026-40587 MEDIUM
blueprintUE: Active Sessions Are Not Invalidated After Password Change or Reset
CVSS 6.5
CVE-2026-0971 MEDIUM
GoAnywhere MFT SAML Sessions do not redirect to logout URL on session timeout
CVSS 4.3
CVE-2026-34454 LOW
OAuth2 Proxy: Session cookie not cleared when rendering sign-in page
CVSS 3.5
CVE-2026-35594 MEDIUM
Vikunja Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade
CVSS 6.5
CVE-2026-1163 MEDIUM
Insufficient Session Expiration in parisneo/lollms
CVSS 4.1
CVE-2026-5376 MEDIUM
runZero Platform session timeout failure
CVSS 5.9
CVE-2026-35462 MEDIUM
Papra Does Not Reject Expired API Keys
CVSS 4.3
CVE-2026-34828 HIGH
listmonk: Active sessions remain valid after password reset and password change
CVSS 7.1
CVE-2026-34572 HIGH
CI4MS: Account Deactivation Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)
CVSS 8.8
CVE-2026-34570 HIGH
CI4MS: Account Deletion Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)
CVSS 8.8
CVE-2026-34503 HIGH
OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation
CVSS 8.1
CVE-2026-26060 HIGH
Fleet: Password reset tokens remain valid after password change for 24 hours
CVSS 8.8
CVE-2026-34362 MEDIUM
AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket()
CVSS 5.4
CVE-2026-29092 MEDIUM
Kiteworks Email Protection Gateway has an Insufficient Session Expiration
CVSS 4.9
CVE-2026-33417 MEDIUM
Wallos: Password Reset Tokens Never Expire
CVSS 6.5
CVE-2026-32663 HIGH
IGL-Technologies eParking.fi Insufficient Session Expiration
CVSS 7.3
Details
Vulnerabilities 509
Links
MITRE CWE Entry Search this CWE With Exploits