Skip to main content

CWE-324

Use of a Key Past its Expiration Date

17 CVEs Avg CVSS 6.2 MITRE
1
CRITICAL
3
HIGH
12
MEDIUM
1
LOW
1
POC
0
KEV

Monthly

CVE-2026-52809 Go MEDIUM PATCH GHSA This Month

Password-reset tokens in Gogs self-hosted Git service (versions before 0.14.3) remain valid for the full account-activation lifetime - up to 3 hours by default - regardless of the administrator-configured `RESET_PASSWORD_CODE_LIVES` setting, because `GenerateActivateCode()` hardcodes `conf.Auth.ActivateCodeLives` into the token at generation time. An attacker who obtains an intercepted reset token can exploit it far beyond the intended expiry window to perform full account takeover, exposing all private repositories and source code. No KEV listing at time of analysis, but publicly available exploit code exists within the GitHub Security Advisory GHSA-5c3f-6486-3g7g.

Information Disclosure
NVD GitHub
CVSS 3.1
6.8
EPSS
0.2%
CVE-2025-13723 MEDIUM PATCH This Month

IBM Sterling Partner Engagement Manager versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 contain an authentication bypass vulnerability that allows unauthenticated attackers to extract sensitive user information by leveraging expired access tokens over the network without requiring special privileges or user interaction. The vulnerability has a CVSS score of 5.3 with low attack complexity, meaning exploitation is straightforward and requires no special conditions, though the impact is limited to confidentiality breaches with no integrity or availability compromise.

Information Disclosure IBM Sterling Partner Engagement Manager
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-33012 MEDIUM This Month

IBM Db2 10.5.0 through 10.5.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux could allow an authenticated user to regain access after account lockout due to. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure IBM Db2
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2023-5342 MEDIUM This Month

The Fedora Secure Boot CA certificate shipped with shim in Fedora was expired which could lead to old or invalid signed boot components being loaded. Rated medium severity (CVSS 4.1). No vendor patch available.

Information Disclosure Red Hat
NVD
CVSS 3.1
4.1
EPSS
0.0%
CVE-2025-2291 HIGH This Week

Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure PostgreSQL Pgbouncer Debian Linux
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2025-31123 HIGH PATCH This Week

Zitadel is open-source identity infrastructure software. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Zitadel
NVD GitHub
CVSS 3.1
8.7
EPSS
0.3%
CVE-2024-7318 Maven MEDIUM PATCH This Month

A vulnerability was found in Keycloak. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Build Of Keycloak
NVD
CVSS 3.1
4.8
EPSS
0.4%
CVE-2024-6299 LOW Monitor

Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Conduit
NVD
CVSS 3.1
3.7
EPSS
0.2%
CVE-2024-38277 PHP MEDIUM PATCH This Month

A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Moodle Fedora
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-36031 CRITICAL PATCH Act Now

In the Linux kernel, the following vulnerability has been resolved: keys: Fix overwrite of key expiration on instantiation The expiry time of a key is unconditionally overwritten during. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Linux Linux Kernel
NVD
CVSS 3.1
9.8
EPSS
0.7%
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Password-reset tokens in Gogs self-hosted Git service (versions before 0.14.3) remain valid for the full account-activation lifetime - up to 3 hours by default - regardless of the administrator-configured `RESET_PASSWORD_CODE_LIVES` setting, because `GenerateActivateCode()` hardcodes `conf.Auth.ActivateCodeLives` into the token at generation time. An attacker who obtains an intercepted reset token can exploit it far beyond the intended expiry window to perform full account takeover, exposing all private repositories and source code. No KEV listing at time of analysis, but publicly available exploit code exists within the GitHub Security Advisory GHSA-5c3f-6486-3g7g.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

IBM Sterling Partner Engagement Manager versions 6.2.3.0 through 6.2.3.5 and 6.2.4.0 through 6.2.4.2 contain an authentication bypass vulnerability that allows unauthenticated attackers to extract sensitive user information by leveraging expired access tokens over the network without requiring special privileges or user interaction. The vulnerability has a CVSS score of 5.3 with low attack complexity, meaning exploitation is straightforward and requires no special conditions, though the impact is limited to confidentiality breaches with no integrity or availability compromise.

Information Disclosure IBM Sterling Partner Engagement Manager
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

IBM Db2 10.5.0 through 10.5.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux could allow an authenticated user to regain access after account lockout due to. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure IBM Db2
NVD
EPSS 0% CVSS 4.1
MEDIUM This Month

The Fedora Secure Boot CA certificate shipped with shim in Fedora was expired which could lead to old or invalid signed boot components being loaded. Rated medium severity (CVSS 4.1). No vendor patch available.

Information Disclosure Red Hat
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure PostgreSQL Pgbouncer +1
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Zitadel is open-source identity infrastructure software. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Zitadel
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

A vulnerability was found in Keycloak. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Build Of Keycloak
NVD
EPSS 0% CVSS 3.7
LOW Monitor

Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Conduit
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

A unique key should be generated for a user's QR login key and their auto-login key, so the same key cannot be used interchangeably between the two. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Moodle Fedora
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

In the Linux kernel, the following vulnerability has been resolved: keys: Fix overwrite of key expiration on instantiation The expiry time of a key is unconditionally overwritten during. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Linux Linux Kernel
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy