rdiffweb is vulnerable to Improper Session Management. The vulnerability exists because the library does not invalidate all the session tokens for a user on a password change, resulting in users logged in with the old password to continue being logged in.