202 matches found
CVE-2026-56665
ZITADEL's external JWT Identity Provider validation (internal/idp/providers/jwt/session.go) does not enforce expiration when an incoming token omits the exp claim, causing tokens from trusted issuers to be treated as valid without an automatic expiration window. Affected releases: 3.0.0-rc.1 thro...
CVE-2026-56665 ZITADEL: Missing Token Expiration (`exp`) Validation in JWT IdP Provider
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL is an open source identity management platform. From 3.0.0-rc.1 through 3.4.11 and from 4.0.0-rc.1 through 4.15.1, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session....
CVE-2026-42172
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Sanctum API tokens did not expire, allowing a leaked token to retain access indefinitely until manually revoked. This issue is fixed in version 4.0.0-beta.474...
CVE-2026-42172 Coolify: Sanctum API Tokens Have No Expiration — Leaked Tokens Grant Permanent Access
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Sanctum API tokens did not expire, allowing a leaked token to retain access indefinitely until manually revoked. This issue is fixed in version 4.0.0-beta.474...
EUVD-2026-41980
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Sanctum API tokens did not expire, allowing a leaked token to retain access indefinitely until manually revoked. This issue is fixed in version 4.0.0-beta.474...
CVE-2026-42172 Coolify: Sanctum API Tokens Have No Expiration — Leaked Tokens Grant Permanent Access
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Sanctum API tokens did not expire, allowing a leaked token to retain access indefinitely until manually revoked. This issue is fixed in version 4.0.0-beta.474...
CVE-2026-46455
Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component. The camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks... with only the subject-exists check and the realm-URL issuer check. Keycloak's...
EUVD-2026-41829
Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component. The camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks... with only the subject-exists check and the realm-URL issuer check. Keycloak's...
PT-2026-55890
Name of the Vulnerable Software and Affected Versions Apache Camel versions 4.18.0 through 4.18.2 Apache Camel versions 4.19.0 through 4.20.x Description Insufficient session expiration in the Apache Camel Keycloak Component occurs because the KeycloakSecurityHelper.parseAndVerifyAccessToken...
GO-2026-5732 ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider in github.com/zitadel/zitadel
ZITADEL: Missing Token Lifecyle Validation exp and iat in JWT IdP Provider in github.com/zitadel/zitadel...
GHSA-CQ9C-6W48-QMFG @actual-app/sync-server: Disabled OpenID users keep access through existing session tokens
Summary In OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity. Existing Actual session tokens for the disabled user remain valid, so the user can continue calling authenticated server endpoints after an administrator has disabled the account. Details The...
@actual-app/sync-server: Disabled OpenID users keep access through existing session tokens
Summary In OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity. Existing Actual session tokens for the disabled user remain valid, so the user can continue calling authenticated server endpoints after an administrator has disabled the account. Details The...
PT-2026-51451
Name of the Vulnerable Software and Affected Versions Actual versions prior to 26.6.0 Description In OpenID multi-user mode, disabling a user only prevents future OpenID logins for that identity. Existing session tokens remain valid because the shared session validation path does not check if the...
ConnectWise ScreenConnect < 26.2 Improper Input Validation (CVE-2026-11596)
According to its version, the ConnectWise ScreenConnect remote access software installed on the remote host is prior to 26.2. It is, therefore, affected by an improper input validation vulnerability: - Input validation within the Host Pass creation functionality could allow an authenticated user...
EUVD-2026-37126
Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validateexp = false in the verifydecode helper within the stdlib JWT verification path. Attackers in possession of a previously issued...
PT-2026-49727
Name of the Vulnerable Software and Affected Versions Perry versions prior to 0.5.1166 Description An issue in the JWT validation process allows remote attackers to bypass token expiration. This occurs because the verify decode helper within the stdlib JWT verification path unconditionally sets...
CVE-2026-11596
Affected software: ScreenConnect™ (before version 26.2). The vulnerability concerns input validation in the Host Pass creation flow, where an authenticated user with Host Pass creation privileges could set a delegated access token expiration longer than the intended maximum. Impact, as described,...
CVE-2026-11596
In ScreenConnect™ versions prior to 26.2, input validation within the Host Pass creation functionality could allow an authenticated user with Host Pass creation privileges the ability to specify a token expiration duration beyond the intended maximum when generating delegated access tokens...
ConnectWise ScreenConnect 安全漏洞
ConnectWise ScreenConnect is a self-hosted remote desktop software application developed by ConnectWise. Versions of ConnectWise ScreenConnect prior to version 26.2 contained a security vulnerability. This vulnerability stemmed from the lack of input validation for the token expiration duration...
Operation on a Resource after Expiration or Release
Overview kibana is an open source Apache Licensed, browser-based analytics and search dashboard for Elasticsearch. Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release due to a logic error in the validation of expiration timestamps for access...