CVE-2026-28275
JWT Token Invalidation Flaw in Initiative Enables Persistent Access
Publication date: 2026-02-26
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| morelitea | initiative | to 0.32.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Initiative project management platform versions prior to 0.32.4. When a user changes their password, previously issued JWT access tokens are not invalidated. This means that older tokens remain valid until they expire, allowing continued access to protected API endpoints even after the password has been updated.
How can this vulnerability impact me? :
The vulnerability allows an attacker or unauthorized user who has access to an old JWT token to continue accessing the affected user's account and protected resources even after the user has changed their password. This can lead to unauthorized access, data exposure, and potential misuse of the account.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the Initiative project management platform to version 0.32.4 or later, as this version fixes the issue by invalidating previously issued JWT access tokens after a user changes their password.