Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-613 (不充分的会话过期机制) — Vulnerability Class 302

302 vulnerabilities classified as CWE-613 (不充分的会话过期机制). AI Chinese analysis included.

CWE-613 represents a critical authentication weakness where web applications fail to properly invalidate session identifiers after a user logs out or after a period of inactivity. This flaw allows attackers to exploit stale session tokens, often obtained through network sniffing, session fixation, or simply waiting for a user to abandon a shared device. By reusing these expired credentials, adversaries can bypass authentication mechanisms and gain unauthorized access to sensitive user accounts or administrative functions without needing to crack passwords. To mitigate this risk, developers must implement robust session management protocols that enforce strict expiration policies. This includes setting appropriate timeout durations for both active and idle sessions, ensuring that logout actions immediately invalidate server-side session data, and utilizing secure, HttpOnly cookies to prevent client-side script access to session identifiers.

MITRE CWE Description
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Common Consequences (1)
Access ControlBypass Protection Mechanism
Mitigations (1)
ImplementationSet sessions/credentials expiration date.
Examples (1)
The following snippet was taken from a J2EE web.xml deployment descriptor in which the session-timeout parameter is explicitly defined (the default value depends on the container). In this case the value is set to -1, which means that a session will never expire.
<web-app> [...snipped...] <session-config> <session-timeout>-1</session-timeout> </session-config> </web-app>
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-41902 FreeScout's user invitation hash never expires: permanent unauthenticated account takeover if invite link leaks — freescout 9.1 Critical2026-05-07
CVE-2026-41519 Weblate's API Token Not Invalidated on Password Change — weblate 4.2 Medium2026-05-07
CVE-2026-41891 CI4MS: Deactivated User Session Bypass (active=0) — ci4ms--2026-05-07
CVE-2026-40934 jupyter-server authentication cookies remain valid after password reset due to static cookie secret — jupyter_server--2026-05-05
CVE-2026-42421 OpenClaw < 2026.4.8 - WebSocket Session Persistence via Shared Gateway Token Rotation — OpenClaw 5.4 Medium2026-04-28
CVE-2026-41916 OpenClaw < 2026.4.8 - Stale Authentication State via Config Reload — OpenClaw 5.4 Medium2026-04-28
CVE-2026-25720 SenseLive X3050 Insufficient session expiration — X3050 5.4 Medium2026-04-23
CVE-2026-41356 OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate — OpenClaw 5.4 Medium2026-04-23
CVE-2026-1272 IBM Guardium Data Protection is affected by multiple vulnerabilities — Guardium Data Protection 2.7 Low2026-04-22
CVE-2026-6515 Insufficient Session Expiration in GitLab — GitLab 5.4 Medium2026-04-22
CVE-2026-6848 Quay: red hat quay: authentication bypass allows privileged actions without valid credentials — Red Hat Quay 3 5.4 Medium2026-04-22
CVE-2026-41133 pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass) — pyload 8.8 High2026-04-21
CVE-2026-40939 DSF: Missing Session Timeout for OIDC Sessions — dsf 9.1AICriticalAI2026-04-21
CVE-2026-40587 blueprintUE: Active Sessions Are Not Invalidated After Password Change or Reset — blueprintue-self-hosted-edition 6.5 Medium2026-04-21
CVE-2026-0971 GoAnywhere MFT SAML Sessions do not redirect to logout URL on session timeout — GoAnywhere MFT 4.3 Medium2026-04-21
CVE-2025-12624 Improper Token Invalidation in WSO2 Identity Server Allows Access After Account Lock — WSO2 Identity Server 6.0 Medium2026-04-16
CVE-2026-34454 OAuth2 Proxy: Session cookie not cleared when rendering sign-in page — oauth2-proxy 3.5 Low2026-04-14
CVE-2026-35594 Vikunja Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade — vikunja 6.5 Medium2026-04-10
CVE-2025-57735 Apache Airflow: Airflow Logout Not Invalidating JWT — Apache Airflow 9.1AICriticalAI2026-04-09
CVE-2026-1163 Insufficient Session Expiration in parisneo/lollms — parisneo/lollms 9.1AICriticalAI2026-04-08
CVE-2026-35462 Papra Does Not Reject Expired API Keys — papra 4.3 Medium2026-04-07
CVE-2026-5376 runZero Platform session timeout failure — Platform 5.9 Medium2026-04-07
CVE-2026-34828 listmonk: Active sessions remain valid after password reset and password change — listmonk 7.1 High2026-04-02
CVE-2025-66483 Multiple vulnerabilities have been addressed in IBM Aspera Shares — Aspera Shares 6.3 Medium2026-04-01
CVE-2026-34503 OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation — OpenClaw 8.1 High2026-03-31
CVE-2026-26060 Fleet: Password reset tokens remain valid after password change for 24 hours — fleet 7.5 -2026-03-27
CVE-2026-34362 AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket() — AVideo 5.4 Medium2026-03-27
CVE-2025-55264 HCL Aftermarket DPC is affected by Failure to Invalidate Session on Password Change — Aftermarket DPC 5.5 Medium2026-03-26
CVE-2025-14810 IBM InfoSphere Information Server is vulnerable due to insufficient session expiration — InfoSphere Information Server 6.3 Medium2026-03-25
CVE-2026-29092 Kiteworks Email Protection Gateway has an Insufficient Session Expiration — Kiteworks Email Protection Gateway 4.9 Medium2026-03-25

Vulnerabilities classified as CWE-613 (不充分的会话过期机制) represent 302 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.