CVE-2026-25700

HIGH

Apache Answer: AdminToken not invalidated after admin deactivation

Title source: cna
STIX 2.1

Description

Improper Restriction of Security Token Assignment vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. Previously issued administrative tokens were not invalidated after an administrator account was suspended, deleted, or deactivated, allowing continued access to administrative APIs until the token expired. Users are recommended to upgrade to version 2.0.1, which fixes the issue.

References (2)

Core 2

Scores

CVSS v3 7.2
EPSS 0.0045
EPSS Percentile 36.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-1259
Status published
Products (2)
apache/answer < 2.0.1
Apache Software Foundation/Apache Answer < 2.0.0
Published Jun 10, 2026
Tracked Since Jun 10, 2026