← volver
CVE-2026-28275

Initiative Vulnerable to Improper Session Invalidation (JWT Remains Valid)

CVSS 8.1 HIGHEPSS 0.4%CWE-613
Vexday Risk Score
21Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 8.1EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
26 feb 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Productos afectados
Morelitea · initiative

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/Morelitea/initiative/releases/tag/v0.32.4https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3h