{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28275", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-26T01:52:58.734Z", "datePublished": "2026-02-26T22:56:07.815Z", "dateUpdated": "2026-02-27T17:44:23.728Z"}, "containers": {"cna": {"title": "Initiative Vulnerable to Improper Session Invalidation (JWT Remains Valid)", "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "lang": "en", "description": "CWE-613: Insufficient Session Expiration", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3h"}, {"name": "https://github.com/Morelitea/initiative/releases/tag/v0.32.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/Morelitea/initiative/releases/tag/v0.32.4"}], "affected": [{"vendor": "Morelitea", "product": "initiative", "versions": [{"version": "< 0.32.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T22:56:07.815Z"}, "descriptions": [{"lang": "en", "value": "Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue."}], "source": {"advisory": "GHSA-hww6-3fww-xw3h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T17:42:45.634963Z", "id": "CVE-2026-28275", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T17:44:23.728Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28275", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-27T17:42:45.634963Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T17:44:19.029Z"}}], "cna": {"title": "Initiative Vulnerable to Improper Session Invalidation (JWT Remains Valid)", "source": {"advisory": "GHSA-hww6-3fww-xw3h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Morelitea", "product": "initiative", "versions": [{"status": "affected", "version": "< 0.32.4"}]}], "references": [{"url": "https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3h", "name": "https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Morelitea/initiative/releases/tag/v0.32.4", "name": "https://github.com/Morelitea/initiative/releases/tag/v0.32.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-613", "description": "CWE-613: Insufficient Session Expiration"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T22:56:07.815Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28275", "state": "PUBLISHED", "dateUpdated": "2026-02-27T17:44:23.728Z", "dateReserved": "2026-02-26T01:52:58.734Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-26T22:56:07.815Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:morelitea:initiative:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B50ACE8-1939-4039-8DC6-F45DB13167D5", "versionEndExcluding": "0.32.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue."}, {"lang": "es", "value": "Initiative es una plataforma de gesti\u00f3n de proyectos autoalojada. Las versiones de la aplicaci\u00f3n anteriores a la 0.32.4 no invalidan los tokens de acceso JWT emitidos previamente despu\u00e9s de que un usuario cambia su contrase\u00f1a. Como resultado, los tokens m\u00e1s antiguos permanecen v\u00e1lidos hasta su expiraci\u00f3n y a\u00fan pueden utilizarse para acceder a puntos finales de API protegidos. Este comportamiento permite el acceso autenticado continuado incluso despu\u00e9s de que la contrase\u00f1a de la cuenta haya sido actualizada. La versi\u00f3n 0.32.4 corrige el problema."}], "id": "CVE-2026-28275", "lastModified": "2026-02-27T19:07:07.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T23:16:37.240", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/Morelitea/initiative/releases/tag/v0.32.4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.32.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "initiative", "source": "cna", "vendor": "Morelitea"}, "product": "initiative", "vendor": "morelitea"}], "created": "2026-02-27T09:03:45.074680+00:00", "updated": "2026-02-27T09:03:45.074830+00:00", "vendors": ["morelitea", "morelitea$PRODUCT$initiative"]}