When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usabl
A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, wh
Improper Restriction of Security Token Assignment vulnerability in Apache Answer.
This issue affects Apache Answer: through 2.0.0.
Previously issued administrative tokens were not invalidated after
An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an a
A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated whe
An authenticated user's token could be used by another source after the user had logged out prior to the token expiring.
OpenClaw before 2026.4.24 contains a token revocation vulnerability allowing callers with revoked slash tokens to continue executing commands during monitor refresh windows. Attackers can exploit stal
Improper Authorization in Elastic Cloud Enterprise can lead to Privilege Escalation where the built-in readonly user can call APIs that should not be allowed. The list of APIs that are affected by thi
TitanSystems Zender v3.9.7 contains an account takeover vulnerability in its password reset functionality. A temporary password or reset token issued to one user can be used to log in as another user,
A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revok
A user with access to the cluster with a limited set of privilege actions may be able to terminate queries that are being executed by other users. This may cause a denial of service by preventing a fr
A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client cre
Missing Authorization vulnerability in WPFunnels Mail Mint mail-mint allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mail Mint: from n/a through <= 1.19.4.
Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior implement an authentication token (X-User-Token) with insufficient expiration. An attacker who obtains a valid token
A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the
Bludit is a content management system. Versions prior to 3.22.0 have a vulnerability in the user management logic that allows deactivated accounts to maintain access via persistent authentication toke
Prior to 25.4.270.0, when wmic.exe is elevated with a full admin token the user can stop the Defendpoint service, bypassing anti-tamper protections. Once the service is disabled, the malicious user ca
There is an elevation of privilege vulnerability in server
and client components of Absolute Secure Access prior to version 13.07.
Attackers with local access and valid desktop user credentials can el
In multiple locations there is a possible provisioning bypass due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User in
Page 1+ Next →