Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CWE-613 (不充分的会话过期机制) — Vulnerability Class 318

318 vulnerabilities classified as CWE-613 (不充分的会话过期机制). AI Chinese analysis included.

CWE-613 represents a critical authentication weakness where web applications fail to properly invalidate session identifiers after a user logs out or after a period of inactivity. This flaw allows attackers to exploit stale session tokens, often obtained through network sniffing, session fixation, or simply waiting for a user to abandon a shared device. By reusing these expired credentials, adversaries can bypass authentication mechanisms and gain unauthorized access to sensitive user accounts or administrative functions without needing to crack passwords. To mitigate this risk, developers must implement robust session management protocols that enforce strict expiration policies. This includes setting appropriate timeout durations for both active and idle sessions, ensuring that logout actions immediately invalidate server-side session data, and utilizing secure, HttpOnly cookies to prevent client-side script access to session identifiers.

MITRE CWE Description
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Common Consequences (1)
Access ControlBypass Protection Mechanism
Mitigations (1)
ImplementationSet sessions/credentials expiration date.
Examples (1)
The following snippet was taken from a J2EE web.xml deployment descriptor in which the session-timeout parameter is explicitly defined (the default value depends on the container). In this case the value is set to -1, which means that a session will never expire.
<web-app> [...snipped...] <session-config> <session-timeout>-1</session-timeout> </session-config> </web-app>
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-62340 HCL iControl was affected by Inadequate Session Timeout vulnerability — iControl 3.1 Low2026-06-17
CVE-2026-53843 OpenClaw < 2026.5.26 - Node Token Revocation Bypass via Pairing-Scoped Device Session — OpenClaw 8.8 High2026-06-16
CVE-2026-53776 Perry < 0.5.1166 JWT Expiration Bypass via verify_decode — perry 9.1 Critical2026-06-16
CVE-2026-44188 Ansible-lightspeed: ansible lightspeed: session hijacking and unauthorized data access due to insufficient session expiration — Red Hat Ansible Automation Platform 2.7 5.3 Medium2026-06-15
CVE-2026-53830 OpenClaw < 2026.4.22 - Webhook Secret Revocation Bypass via secrets.reload — OpenClaw 6.5 Medium2026-06-12
CVE-2026-53824 Mattermost plugin for OpenClaw < 2026.4.24 - Slash Token Revocation Lag via Monitor Refresh Delay — OpenClaw 6.5 Medium2026-06-12
CVE-2026-46401 HAX CMS PHP has Insufficient Session Expiration — issues--2026-06-05
CVE-2026-48726 Apache Airflow: revoke_token() unreachable in FabAuthManager / KeycloakAuthManager logout path — Apache Airflow--2026-06-01
CVE-2026-44648 SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover — SillyTavern 7.5 High2026-05-29
CVE-2026-9802 Keycloak: keycloak: unauthorized account access via replayed refresh tokens after cluster restart — Red Hat build of Keycloak 26.6 6.8 Medium2026-05-28
CVE-2026-8670 Insecure session handling on metrics web server — Avantra 9.6 Critical2026-05-22
CVE-2026-1815 Session Hijacking in TEİAŞ's Mobile Application — Mobile Application 5.7 Medium2026-05-21
CVE-2026-44553 Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access — open-webui 8.1 High2026-05-15
CVE-2026-22706 Strapi: Password Reset Does Not Revoke Existing Refresh Sessions — strapi--2026-05-14
CVE-2026-44511 Katalyst Koi: Session cookies can be replayed after user logout — koi 7.4 High2026-05-14
CVE-2026-43911 Vaultwarden: Refresh tokens not invalidated on security stamp rotation — vaultwarden 6.8 Medium2026-05-11
CVE-2026-41902 FreeScout's user invitation hash never expires: permanent unauthenticated account takeover if invite link leaks — freescout 9.1 Critical2026-05-07
CVE-2026-41519 Weblate's API Token Not Invalidated on Password Change — weblate 4.2 Medium2026-05-07
CVE-2026-41891 CI4MS: Deactivated User Session Bypass (active=0) — ci4ms 9.1AICriticalAI2026-05-07
CVE-2026-40934 jupyter-server authentication cookies remain valid after password reset due to static cookie secret — jupyter_server 7.5 -2026-05-05
CVE-2026-42421 OpenClaw < 2026.4.8 - WebSocket Session Persistence via Shared Gateway Token Rotation — OpenClaw 5.4 Medium2026-04-28
CVE-2026-41916 OpenClaw < 2026.4.8 - Stale Authentication State via Config Reload — OpenClaw 5.4 Medium2026-04-28
CVE-2026-25720 SenseLive X3050 Insufficient session expiration — X3050 5.4 Medium2026-04-23
CVE-2026-41356 OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate — OpenClaw 5.4 Medium2026-04-23
CVE-2026-1272 IBM Guardium Data Protection is affected by multiple vulnerabilities — Guardium Data Protection 2.7 Low2026-04-22
CVE-2026-6515 Insufficient Session Expiration in GitLab — GitLab 5.4 Medium2026-04-22
CVE-2026-6848 Quay: red hat quay: authentication bypass allows privileged actions without valid credentials — Red Hat Quay 3 5.4 Medium2026-04-22
CVE-2026-41133 pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass) — pyload 8.8 High2026-04-21
CVE-2026-40939 DSF: Missing Session Timeout for OIDC Sessions — dsf 9.1AICriticalAI2026-04-21
CVE-2026-40587 blueprintUE: Active Sessions Are Not Invalidated After Password Change or Reset — blueprintue-self-hosted-edition 6.5 Medium2026-04-21

Vulnerabilities classified as CWE-613 (不充分的会话过期机制) represent 318 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.