Cyber Resilience

CVE-2026-28275

HighPublic PoC

Published: 26 February 2026

Published
26 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0037 28.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-28275 is a high-severity Insufficient Session Expiration (CWE-613) vulnerability in Morelitea Initiative. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Access Token (T1550.001); ranked at the 28.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2026-28275 affects Initiative, a self-hosted project management platform, in versions prior to 0.32.4. The vulnerability, classified under CWE-613 (Insufficient Session Expiration), occurs because the application fails to invalidate previously issued JWT access tokens after a user changes their password. As a result, these older tokens remain valid until their natural expiration and can continue to grant access to protected API endpoints, enabling persistent authenticated access despite the password update. The issue carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and was published on 2026-02-26.

An attacker requires low privileges (PR:L), such as those of an authenticated user who possesses a valid JWT token issued before the password change. Exploitation is possible remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows the attacker to maintain access to sensitive API endpoints, achieving high impacts on confidentiality (C:H) and integrity (I:H) by reading protected data or modifying resources, with no availability impact (A:N).

Mitigation is provided in Initiative version 0.32.4, which properly invalidates prior tokens upon password changes. Security practitioners should upgrade to this version or later, as outlined in the project's release notes (https://github.com/Morelitea/initiative/releases/tag/v0.32.4) and GitHub security advisory (https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3h).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still…

more

be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1550.001 Application Access Token Lateral Movement
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.
Why these techniques?

Insufficient JWT invalidation after password change directly enables continued abuse of valid application access tokens (T1550.001) for persistent authenticated access to API endpoints.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28276Same product: Morelitea Initiative
CVE-2026-28274Same product: Morelitea Initiative
CVE-2024-13996Shared CWE-613
CVE-2026-33417Shared CWE-613
CVE-2025-57735Shared CWE-613
CVE-2026-24669Shared CWE-613
CVE-2025-36377Shared CWE-613
CVE-2026-1435Shared CWE-613
CVE-2025-15553Shared CWE-613
CVE-2026-41902Shared CWE-613

Affected Assets

morelitea
initiative
≤ 0.32.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates automatic termination of user sessions upon organization-defined trigger events such as password changes, directly preventing continued access via invalidated JWT tokens.

prevent

Requires management of authenticators including JWT tokens with mechanisms for validation, revocation, and refresh upon defined events like password changes to ensure old tokens are invalidated.

prevent

Directly addresses the CVE by requiring timely identification, reporting, and correction of flaws such as insufficient token invalidation through patching to version 0.32.4 or later.

References