CVE-2026-25700
Analyzed Analyzed - Analysis Complete

Improper Token Assignment in Apache Answer

Publication date: 2026-06-10

Last updated on: 2026-06-19

Assigner: Apache Software Foundation

Description
Improper Restriction of Security Token Assignment vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. Previously issued administrative tokens were not invalidated after an administrator account was suspended, deleted, or deactivated, allowing continued access to administrative APIs until the token expired. Users are recommended to upgrade to version 2.0.1, which fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-19
Generated
2026-07-01
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-29
NVD
CVE-2026-25700
EUVD
EUVD-2026-36059

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apache answer to 2.0.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1259 The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can allow unauthorized access to administrative functions even after an administrator's account has been suspended, deleted, or deactivated.

An attacker or unauthorized user who possesses a previously issued administrative token could continue to perform administrative actions until the token naturally expires.

This could lead to unauthorized changes, data exposure, or other administrative-level impacts on the affected system.

Mitigation Strategies

To mitigate this vulnerability, users are recommended to upgrade Apache Answer to version 2.0.1, which fixes the issue of previously issued administrative tokens not being invalidated after account suspension, deletion, or deactivation.

Executive Summary

This vulnerability is an Improper Restriction of Security Token Assignment in Apache Answer versions up to 2.0.0.

Specifically, administrative tokens that were issued before an administrator account was suspended, deleted, or deactivated were not invalidated. This means that even after an administrator's account was disabled, the previously issued tokens could still be used to access administrative APIs until those tokens expired.

The issue is fixed in Apache Answer version 2.0.1.

Compliance Impact

This vulnerability allows previously issued administrative tokens to remain valid even after the associated administrator account is suspended, deleted, or deactivated. This improper restriction of security token assignment can lead to unauthorized continued access to administrative APIs.

Such unauthorized access could potentially result in violations of common security and privacy standards and regulations like GDPR and HIPAA, which require strict access controls and timely revocation of access rights to protect sensitive data.

Therefore, the vulnerability may negatively impact compliance by failing to enforce proper access revocation, increasing the risk of unauthorized data access or modification.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25700. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart