Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / CWE / CWE-613

CWE-613

Insufficient Session Expiration

Parent: CWE-672 - Operation on a Resource after Expiration or Release

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

531 vulnerabilities with CWE-613

CVE-2026-44188 MEDIUM

Ansible-lightspeed: ansible lightspeed: session hijacking and unauthorized data access due to insufficient session expiration

CVE-2026-53830 MEDIUM

OpenClaw < 2026.4.22 - Webhook Secret Revocation Bypass via secrets.reload

CVE-2026-53824 MEDIUM

Mattermost < 2026.4.24 - Slash Token Revocation Lag via Monitor Refresh Delay

CVE-2026-46657 HIGH

Bludit's persistent authentication tokens not revoked upon account disablement

CVE-2026-46656 HIGH

Bludit CMS has improper authorization and mediation failure leading to persistent ghost sessions

CVE-2026-46401 MEDIUM

haxtheweb issues - HAX CMS PHP Has Insufficient Session Expiration

CVE-2026-48726 MEDIUM

Apache Airflow: revoke_token() unreachable in FabAuthManager / KeycloakAuthManager logout path

CVE-2026-44648 HIGH

SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover

CVE-2026-9802 MEDIUM

Keycloak: keycloak: unauthorized account access via replayed refresh tokens after cluster restart

CVE-2026-8670 CRITICAL

syslink software Avantra - Insecure Session Handling on Metrics Web Server

CVE-2026-1815 MEDIUM

Session Hijacking in TEİAŞ's Mobile Application

CVE-2026-44553 HIGH

Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access

CVE-2026-22706 MEDIUM

Strapi: Password Reset Does Not Revoke Existing Refresh Sessions

CVE-2026-44511 HIGH

Katalyst Koi: Session cookies can be replayed after user logout

CVE-2026-5545 MEDIUM

curl 8.7.0-8.19.0 - Insufficient Session Expiration via Connection Reuse

CVE-2026-44873 MEDIUM

Insufficient Session Invalidation on User Account Deactivation in AOS-8 Operating System

CVE-2026-43983 HIGH

Pocket ID: OIDC refresh token flow bypasses authorization revocation, account disabling, and group restrictions

CVE-2026-43911 MEDIUM

Vaultwarden: Refresh tokens not invalidated on security stamp rotation

CVE-2026-41902 CRITICAL

FreeScout's user invitation hash never expires: permanent unauthenticated account takeover if invite link leaks

CVE-2026-41519 MEDIUM

Weblate's API Token Not Invalidated on Password Change

CVE-2026-41891 MEDIUM

CI4MS: Deactivated User Session Bypass (active=0)

CVE-2026-40934 MEDIUM

jupyter-server authentication cookies remain valid after password reset due to static cookie secret

CVE-2026-42421 MEDIUM

OpenClaw < 2026.4.8 - WebSocket Session Persistence via Shared Gateway Token Rotation

CVE-2026-41916 MEDIUM

OpenClaw < 2026.4.8 - Stale Authentication State via Config Reload

CVE-2026-25720 MEDIUM

SenseLive X3050 Insufficient session expiration

Page 1 of 22 Next

Details

Vulnerabilities 531

Links

MITRE CWE Entry Search this CWE With Exploits

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy