309 matches found
GHSA-X234-X5VQ-CC2V Nginx-UI: Disabled users retain full API access through previously issued bearer tokens
Summary A user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected...
CVE-2026-40264
A flaw was found in OpenBao. OpenBao's multi-tenant separation feature allows a privileged administrator in one tenant to revoke or renew a token belonging to another tenant if that token's accessors are leaked. This unauthorized token management could lead to a denial of service for the affected...
CVE-2026-40264
OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. This is addressed in v2.5.3...
CVE-2026-40264 OpenBao's Token Store Allows Cross-Namespace Renewal, Revocation
OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. This is addressed in v2.5.3...
OpenBao 安全漏洞
OpenBao is an open-source sensitive data management software developed by OpenBao. Versions of OpenBao prior to 2.5.3 contained security vulnerabilities. These vulnerabilities were caused by a problem with tenant isolation in namespaces, which could lead to tokens being revoked from tenants whose...
EUVD-2025-209495
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security...
CVE-2025-12624
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security...
CVE-2025-12624
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security...
CVE-2025-12624
WSO2 Identity Server is affected by CVE-2025-12624, where active access tokens are not revoked when a user account is locked. The underlying issue is a failure to enforce revocation of previously issued, valid tokens, allowing locked accounts to maintain access to protected resources via unexpire...
PT-2026-33306
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security...
WSO2 Identity Server 安全漏洞
WSO2 Identity Server is an identity authentication server developed by the American company WSO2. There is a security vulnerability in WSO2 Identity Server; this vulnerability arises from the failure to revoke active access tokens when user accounts are locked, which may lead to bypassing access...
CVE-2026-4002
The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce validation in the ajaxrevoketoken function which handles the 'petjeafdisconnect' AJAX action. The function performs destructive operations includin...
CVE-2026-4002
The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce validation in the ajaxrevoketoken function which handles the 'petjeafdisconnect' AJAX action. The function performs destructive operations includin...
Improper Session Invalidation
github.com/usememos/memos is vulnerable to improper session invalidation. The vulnerability is due to access tokens not being revoked after a password change, which allows an attacker to retain unauthorized access using previously issued valid tokens...
CVE-2026-34503
OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection...
PT-2026-29816
Name of the Vulnerable Software and Affected Versions listmonk versions 4.1.0 through 6.0.0 Description listmonk, a self-hosted newsletter and mailing list manager, has a session management issue. Previously issued authenticated sessions remain valid after sensitive account security changes, such...
OpenClaw's device removal and token revocation do not terminate active WebSocket sessions
Summary Removing a device or revoking its token updated stored credentials but did not disconnect already-authenticated WebSocket sessions. Impact A revoked device could continue using its existing live session until reconnect, extending access beyond credential removal. Affected Component...
GHSA-2PR2-HCV6-7GWV OpenClaw's device removal and token revocation do not terminate active WebSocket sessions
Summary Removing a device or revoking its token updated stored credentials but did not disconnect already-authenticated WebSocket sessions. Impact A revoked device could continue using its existing live session until reconnect, extending access beyond credential removal. Affected Component...
Insufficient Session Expiration
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insufficient Session Expiration through incomplete termination of WebSocket sessions when devices are removed or tokens are revoked. An attacker can retain unauthorized access by...
Duplicate Advisory: OpenClaw's device removal and token revocation do not terminate active WebSocket sessions
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2pr2-hcv6-7gwv. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoke...