What is the CVSS score of CVE-2026-28275?

CVE-2026-28275 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Initiative are affected by CVE-2026-28275?

Initiative project management deployments running versions prior to 0.32.4 are vulnerable to account takeover attacks because previously issued authentication tokens remain valid even after users…

Is there a public PoC exploit available for CVE-2026-28275?

Yes, a public proof-of-concept exploit is available for CVE-2026-28275. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-28275?

Within 24 hours: Identify all Initiative instances and their current versions; assess whether any are below 0.32.4. Within 7 days: For vulnerable instances, implement compensating controls (token rotation policy, WAF restrictions, or IP whitelisting) and require all users to change passwords immediately while monitoring for suspicious token activity. Within 30 days: Prioritize upgrade to Initiative 0.32.4 or later as the permanent remediation, or decommission affected instances if upgrade is not feasible.

Initiative CVE-2026-28275

HIGH

Insufficient Session Expiration (CWE-613)

2026-02-26 security-advisories@github.com

Information Disclosure Initiative

8.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:56 vuln.today

PoC Detected

Feb 27, 2026 - 19:07 vuln.today

Public exploit code

CVE Published

Feb 26, 2026 - 23:16 nvd

HIGH 8.1

DescriptionGitHub Advisory

Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue.

AnalysisAI

Initiative project management platform versions before 0.32.4 fail to revoke JWT tokens when users change their passwords, allowing authenticated attackers with knowledge of old credentials to maintain API access through unexpired tokens. An attacker can exploit this to access protected endpoints and sensitive project data even after legitimate password changes. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain valid JWT token from Initiative instance

Exploit

Change account password

Execution

Reuse old JWT token for API access

Impact

Maintain authenticated access to protected endpoints