SUSE CVE-2026-33381

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this...

Open WebUI 代码问题漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI under open source. Versions of Open WebUI prior to 0.9.0 had code-related vulnerabilities. These vulnerabilities stemmed from the lack of proper handling when managing role changes or deleting users, which resulted in...

CVE-2026-22706 Strapi: Password Reset Does Not Revoke Existing Refresh Sessions

Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the user's existing refresh-token sessions by default. The refresh-token invalidation step in the users-permissions and admin authentication...

EUVD-2026-30146

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this...

CVE-2026-44873

A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with...

CVE-2026-43983

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. Prior to 2.6.0, The createTokenFromRefreshToken function oidcservice.go validates the refresh token's cryptographic integrity but does not re-validate the user's current authorization state befor...

CVE-2026-33381

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this...

CVE-2026-33381

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this...

UBUNTU-CVE-2026-33381

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this...

Strapi: Password Reset Does Not Revoke Existing Refresh Sessions

Summary of CVE-2026-22706 Vulnerability Details - CVE: CVE-2026-22706 - CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N 2.1 — Low - Affected Versions: @strapi/admin and @strapi/plugin-users-permissions =5.33.3 Description of CVE-2026-22706 In Strapi versions prio...

CVE-2026-33381

Grafana CVE-2026-33381 affects Grafana: when a user’s access to mint tokens for a service account is revoked, token minting can still succeed for a few seconds after the revocation. The issue is addressed in Grafana openSUSE/OpenSUSE advisory updates and upstream Grafana fixes, notably Grafana 11...

CVE-2026-33381

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this...

CVE-2026-33381 Users can generate Service Account tokens after permissions removal

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this...

PT-2026-40794

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description A race condition exists where a user may still be able to mint tokens for a service account for a few seconds after their access has been revoked. Recommendation...

Grafana OSS 安全漏洞

Grafana OSS is an open-source visualization dashboard developed by Grafana. There is a security vulnerability in Grafana OSS, which arises from the possibility of users continuing to perform operations within a short period after their token permissions for service accounts have been revoked. Thi...

SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover

Summary Changing a user’s password does not invalidate existing sessions, allowing an attacker with a stolen cookie to retain access even after the victim resets their password. Details SillyTavern relies on cookie-session for authentication, storing all session data user handle, permissions in a...

EUVD-2026-29822

A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with...

CVE-2026-44873

A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with...

CVE-2026-44873 Insufficient Session Invalidation on User Account Deactivation in AOS-8 Operating System

A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with...

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization due to insufficient validation in the createTokenFromRefreshToken function. An attacker can maintain access to resources by using a valid refresh token even after authorization has been revoked, the account has be...