Skip to main content

TEİAŞ Mobile Application CVE-2026-1815

| EUVDEUVD-2026-31289 MEDIUM
Insufficient Session Expiration (CWE-613)
2026-05-21 TR-CERT GHSA-g5rh-53cq-px9w
5.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.7 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 21, 2026 - 15:31 vuln.today
Patch available
May 21, 2026 - 15:01 EUVD

DescriptionCVE.org

Insufficient session expiration vulnerability in Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application allows Session Hijacking.

This issue affects Mobile Application: from 1.6.2 before 1.13.

AnalysisAI

Insufficient session expiration in the Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application versions 1.6.2 through before 1.13 permits session hijacking by failing to invalidate session tokens after logout or inactivity. An authenticated attacker who obtains a valid session token can reuse it to access the victim's account data, resulting in high-confidence exposure (C:H) with no integrity or availability impact. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the high confidentiality impact against an energy sector mobile application warrants prompt patching given the sensitivity of the target environment.

Technical ContextAI

CWE-613 (Insufficient Session Expiration) describes a failure to adequately limit the lifetime of session tokens, meaning tokens remain valid server-side long after a user logs out or a reasonable idle timeout should have elapsed. The affected product is the TEİAŞ Mobile Application (CPE: cpe:2.3:a:turkiye_electricity_transmission_corporation_(tei̇aş):mobile_application:*:*:*:*:*:*:*:*), a mobile client used by Turkey's national electricity transmission operator. In this class of vulnerability, session management on the backend does not revoke or rotate tokens upon logout or expiry, so any party who captures or retains a token - through network interception, shared device access, log exposure, or token theft - can continue making authenticated API requests indefinitely. The CVSS network attack vector (AV:N) confirms the application communicates over network protocols where session tokens transit, amplifying the exposure window.

RemediationAI

The vendor has released a patch; users should upgrade the TEİAŞ Mobile Application to version 1.13 or later, which is confirmed as the fix boundary per ENISA EUVD-2026-31289 and the TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0286. Update distribution should be pushed through the applicable mobile app stores, and administrators should verify that backend session invalidation logic is also updated in any associated server-side components, as CWE-613 typically requires a server-side fix rather than a client-only patch. If immediate upgrade is not feasible, compensating controls should include enforcing short absolute session timeouts on the server side (e.g., 15-30 minutes of inactivity) and implementing token revocation on explicit logout events, though these require backend changes. Advising users to explicitly log out after each session rather than simply closing the app reduces the window of token validity as a short-term measure, with the trade-off of increased friction. Organizations managing TEİAŞ application access for employees should consider enforcing mobile device management (MDM) policies that clear application data on lock, reducing residual token exposure from shared or lost devices.

Share

CVE-2026-1815 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy