CVE-2026-16206
Received Received - Intake

Session Expiration Flaw in django-oauth-toolkit 3.3.0

Vulnerability report for CVE-2026-16206, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-19

Last updated on: 2026-07-19

Assigner: VulDB

Description

A security vulnerability has been detected in django-oauth django-oauth-toolkit 3.3.0. This issue affects the function _load_id_token of the file oauth2_provider/oauth2_validators.py. The manipulation leads to session expiration. The attack can be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-19
Last Modified
2026-07-19
Generated
2026-07-19
AI Q&A
2026-07-19
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
django django-oauth-toolkit 3.3.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-16206 is a security issue in django-oauth-toolkit 3.3.0 affecting the _load_id_token function in oauth2_provider/oauth2_validators.py. It allows session expiration manipulation through remote attacks. The project was notified but has not responded.

Detection Guidance

Check Django OAuth Toolkit configuration files for default settings like REFRESH_TOKEN_EXPIRE_SECONDS set to None and OIDC_RP_INITIATED_LOGOUT_ACCEPT_EXPIRED_TOKENS set to True. Review logs for unusual token usage or session expiration anomalies.

Impact Analysis

This vulnerability could allow attackers to maintain indefinite access if refresh tokens are leaked due to the default REFRESH_TOKEN_EXPIRE_SECONDS setting being None. Expired tokens might also be misused during logout processes if OIDC_RP_INITIATED_LOGOUT_ACCEPT_EXPIRED_TOKENS is True.

Compliance Impact

This vulnerability could impact compliance with GDPR and HIPAA by allowing indefinite token validity if refresh tokens are not configured with finite lifetimes. Leaked tokens may lead to unauthorized access, violating data protection requirements for session management and access control.

Mitigation Strategies

Set a finite value for REFRESH_TOKEN_EXPIRE_SECONDS instead of None. Disable OIDC_RP_INITIATED_LOGOUT_ACCEPT_EXPIRED_TOKENS by setting it to False. Monitor token lifetimes and rotate compromised tokens.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16206. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart