Skip to main content

CWE-1259

Improper Restriction of Security Token Assignment

12 CVEs Avg CVSS 6.0 MITRE
1
CRITICAL
1
HIGH
9
MEDIUM
1
LOW
1
POC
0
KEV

Monthly

CVE-2026-25700 HIGH This Week

Privilege persistence in Apache Answer through version 2.0.0 allows suspended, deleted, or deactivated administrator accounts to retain access to administrative APIs because previously issued tokens are not invalidated upon account state change. The flaw requires high-privilege access to obtain a token initially and carries a CVSS 7.2 with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis and SSVC marks exploitation as none.

Information Disclosure Apache Apache Answer
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-40264 Go LOW PATCH GHSA Monitor

OpenBao versions prior to 2.5.3 allow high-privileged administrators in one tenant to revoke or renew authentication tokens belonging to users in other tenants if the token accessor is disclosed, bypassing the multi-tenant isolation guarantee. The vulnerability requires high privilege level and user interaction but undermines the core security boundary of OpenBao's namespace-based multi-tenancy model. No active exploitation has been reported.

Information Disclosure Openbao
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-56207 MEDIUM This Month

A security flaw in the '_transfer' function of a smart contract implementation for Money Making Opportunity (MMO), an Ethereum ERC721 Non-Fungible Token (NFT) project, allows users or attackers to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-56676 MEDIUM This Month

TitanSystems Zender v3.9.7 contains an account takeover vulnerability in its password reset functionality. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Privilege Escalation Information Disclosure Zender
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2024-4598 MEDIUM This Month

An information disclosure vulnerability exists in multiple WSO2 products due to improper implementation of the enrich mediator. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Api Manager Micro Integrator
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-50579 MEDIUM This Month

A CORS misconfiguration in Nginx Proxy Manager v2.12.3 allows unauthorized domains to access sensitive data, particularly JWT tokens, due to improper validation of the Origin header. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nginx Information Disclosure Nginx Proxy Manager
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-51306 MEDIUM POC This Week

In Gatling Enterprise versions below 1.25.0, a user logging-out can still use his session token to continue using the application without expiration, due to incorrect session management. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Gatling
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-27955 MEDIUM This Month

Clinical Collaboration Platform 12.2.1.5 has a weak logout system where the session token remains valid after logout and allows a remote attacker to obtain sensitive information and execute arbitrary code.

RCE Clinical Collaboration Platform
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2024-45448 MEDIUM This Month

Page table protection configuration vulnerability in the trusted firmware module Impact: Successful exploitation of this vulnerability may affect service confidentiality. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Emui Harmonyos
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2024-41948 Maven MEDIUM PATCH This Month

biscuit-java is the java implementation of Biscuit, an authentication and authorization token for microservices architectures. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Information Disclosure Biscuit Java
NVD GitHub
CVSS 3.1
5.0
EPSS
0.3%
EPSS 0% CVSS 7.2
HIGH This Week

Privilege persistence in Apache Answer through version 2.0.0 allows suspended, deleted, or deactivated administrator accounts to retain access to administrative APIs because previously issued tokens are not invalidated upon account state change. The flaw requires high-privilege access to obtain a token initially and carries a CVSS 7.2 with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis and SSVC marks exploitation as none.

Information Disclosure Apache Apache Answer
NVD VulDB
EPSS 0% CVSS 2.0
LOW PATCH Monitor

OpenBao versions prior to 2.5.3 allow high-privileged administrators in one tenant to revoke or renew authentication tokens belonging to users in other tenants if the token accessor is disclosed, bypassing the multi-tenant isolation guarantee. The vulnerability requires high privilege level and user interaction but undermines the core security boundary of OpenBao's namespace-based multi-tenancy model. No active exploitation has been reported.

Information Disclosure Openbao
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

A security flaw in the '_transfer' function of a smart contract implementation for Money Making Opportunity (MMO), an Ethereum ERC721 Non-Fungible Token (NFT) project, allows users or attackers to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

TitanSystems Zender v3.9.7 contains an account takeover vulnerability in its password reset functionality. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Privilege Escalation Information Disclosure +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

An information disclosure vulnerability exists in multiple WSO2 products due to improper implementation of the enrich mediator. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Api Manager Micro Integrator
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

A CORS misconfiguration in Nginx Proxy Manager v2.12.3 allows unauthorized domains to access sensitive data, particularly JWT tokens, due to improper validation of the Origin header. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Nginx Information Disclosure Nginx Proxy Manager
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC This Week

In Gatling Enterprise versions below 1.25.0, a user logging-out can still use his session token to continue using the application without expiration, due to incorrect session management. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Gatling
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Clinical Collaboration Platform 12.2.1.5 has a weak logout system where the session token remains valid after logout and allows a remote attacker to obtain sensitive information and execute arbitrary code.

RCE Clinical Collaboration Platform
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Page table protection configuration vulnerability in the trusted firmware module Impact: Successful exploitation of this vulnerability may affect service confidentiality. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Emui Harmonyos
NVD
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

biscuit-java is the java implementation of Biscuit, an authentication and authorization token for microservices architectures. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Information Disclosure Biscuit Java
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy