CVE-2026-28275

Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/Morelitea/initiative/releases/tag/v0.32.4	Product Release Notes
https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3h	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:morelitea:initiative:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-26 23:16

Updated : 2026-02-27 19:07

NVD link : CVE-2026-28275

Mitre link : CVE-2026-28275

CVE.ORG link : CVE-2026-28275

JSON object : View

Products Affected

morelitea

initiative

CWE

CWE-613

Insufficient Session Expiration

{"id": "CVE-2026-28275", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2026-02-26T23:16:37.240", "references": [{"url": "https://github.com/Morelitea/initiative/releases/tag/v0.32.4", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3h", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue."}, {"lang": "es", "value": "Initiative es una plataforma de gesti\u00f3n de proyectos autoalojada. Las versiones de la aplicaci\u00f3n anteriores a la 0.32.4 no invalidan los tokens de acceso JWT emitidos previamente despu\u00e9s de que un usuario cambia su contrase\u00f1a. Como resultado, los tokens m\u00e1s antiguos permanecen v\u00e1lidos hasta su expiraci\u00f3n y a\u00fan pueden utilizarse para acceder a puntos finales de API protegidos. Este comportamiento permite el acceso autenticado continuado incluso despu\u00e9s de que la contrase\u00f1a de la cuenta haya sido actualizada. La versi\u00f3n 0.32.4 corrige el problema."}], "lastModified": "2026-02-27T19:07:07.187", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:morelitea:initiative:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0B50ACE8-1939-4039-8DC6-F45DB13167D5", "versionEndExcluding": "0.32.4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}