CVE-2026-28275
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Description
Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue.
Analysis
Initiative project management platform versions before 0.32.4 fail to revoke JWT tokens when users change their passwords, allowing authenticated attackers with knowledge of old credentials to maintain API access through unexpired tokens. An attacker can exploit this to access protected endpoints and sensitive project data even after legitimate password changes. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Initiative instances and their current versions; assess whether any are below 0.32.4. Within 7 days: For vulnerable instances, implement compensating controls (token rotation policy, WAF restrictions, or IP whitelisting) and require all users to change passwords immediately while monitoring for suspicious token activity. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today