Search Vulnerabilities

Rocket.Chat: OAuth access and refresh tokens remain valid after account deactivation

Rocket.Chat: users.deactivateIdle` deactivates accounts without revoking existing login tokens

Gogs: Password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES

NocoDB: Stale Auth Cache After API Token Deletion

NocoDB: OAuth Tokens Persist Through Security Events

NocoDB: Refresh Tokens Persist Through Password Recovery

Daytona: Public sandbox previews remain accessible for up to one hour after being made private

Langflow: Logout button does not clear session

Global session revocation does not invalidate active WebSocket connections

BerriAI litellm SSO Authentication Flow ui_sso.py get_redirect_response_from_openid session expiration

BerriAI litellm PROXY_ADMIN database API Key Generator login_utils.py authenticate_user session expiration

HCL iControl was affected by Inadequate Session Timeout vulnerability

OpenClaw < 2026.5.26 - Node Token Revocation Bypass via Pairing-Scoped Device Session

Perry < 0.5.1166 JWT Expiration Bypass via verify_decode

Ansible-lightspeed: ansible lightspeed: session hijacking and unauthorized data access due to insufficient session expiration

OpenClaw < 2026.4.22 - Webhook Secret Revocation Bypass via secrets.reload

Mattermost plugin for OpenClaw < 2026.4.24 - Slash Token Revocation Lag via Monitor Refresh Delay

Bludit's persistent authentication tokens not revoked upon account disablement

Bludit CMS has improper authorization and mediation failure leading to persistent ghost sessions

HAX CMS PHP has Insufficient Session Expiration