CVE-2026-25700
Received Received - Intake
Improper Token Assignment in Apache Answer

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: Apache Software Foundation

Description
Improper Restriction of Security Token Assignment vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. Previously issued administrative tokens were not invalidated after an administrator account was suspended, deleted, or deactivated, allowing continued access to administrative APIs until the token expired. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-25700
EUVD
EUVD-2026-36059
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache answer to 2.0.0 (inc)
apache answer to 2.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1259 The System-On-A-Chip (SoC) implements a Security Token mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. However, the Security Tokens are improperly protected.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Improper Restriction of Security Token Assignment in Apache Answer versions up to 2.0.0.

Specifically, administrative tokens that were issued before an administrator account was suspended, deleted, or deactivated were not invalidated. This means that even after an administrator's account was disabled, the previously issued tokens could still be used to access administrative APIs until those tokens expired.

The issue is fixed in Apache Answer version 2.0.1.

Impact Analysis

This vulnerability can allow unauthorized access to administrative functions even after an administrator's account has been suspended, deleted, or deactivated.

An attacker or unauthorized user who possesses a previously issued administrative token could continue to perform administrative actions until the token naturally expires.

This could lead to unauthorized changes, data exposure, or other administrative-level impacts on the affected system.

Mitigation Strategies

To mitigate this vulnerability, users are recommended to upgrade Apache Answer to version 2.0.1, which fixes the issue of previously issued administrative tokens not being invalidated after account suspension, deletion, or deactivation.

Compliance Impact

This vulnerability allows previously issued administrative tokens to remain valid even after the associated administrator account is suspended, deleted, or deactivated. This improper restriction of security token assignment can lead to unauthorized continued access to administrative APIs.

Such unauthorized access could potentially result in violations of common security and privacy standards and regulations like GDPR and HIPAA, which require strict access controls and timely revocation of access rights to protect sensitive data.

Therefore, the vulnerability may negatively impact compliance by failing to enforce proper access revocation, increasing the risk of unauthorized data access or modification.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25700. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart