CVE-2026-25700
HIGHApache Answer: AdminToken not invalidated after admin deactivation
Title source: cnaDescription
Improper Restriction of Security Token Assignment vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. Previously issued administrative tokens were not invalidated after an administrator account was suspended, deleted, or deactivated, allowing continued access to administrative APIs until the token expired. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
https://lists.apache.org/thread/ftw52mlxknjm29vo1mnqovj53z2kh96y
Scores
CVSS v3
7.2
EPSS
0.0045
EPSS Percentile
36.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-1259
Status
published
Products (2)
apache/answer
< 2.0.1
Apache Software Foundation/Apache Answer
< 2.0.0
Published
Jun 10, 2026
Tracked Since
Jun 10, 2026