CVE-2026-28275
Published: 26 February 2026
Summary
CVE-2026-28275 is a high-severity Insufficient Session Expiration (CWE-613) vulnerability in Morelitea Initiative. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Access Token (T1550.001); ranked at the 4.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates automatic termination of user sessions upon organization-defined trigger events such as password changes, directly preventing continued access via invalidated JWT tokens.
Requires management of authenticators including JWT tokens with mechanisms for validation, revocation, and refresh upon defined events like password changes to ensure old tokens are invalidated.
Directly addresses the CVE by requiring timely identification, reporting, and correction of flaws such as insufficient token invalidation through patching to version 0.32.4 or later.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insufficient JWT invalidation after password change directly enables continued abuse of valid application access tokens (T1550.001) for persistent authenticated access to API endpoints.
NVD Description
Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still…
more
be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue.
Deeper analysisAI
CVE-2026-28275 affects Initiative, a self-hosted project management platform, in versions prior to 0.32.4. The vulnerability, classified under CWE-613 (Insufficient Session Expiration), occurs because the application fails to invalidate previously issued JWT access tokens after a user changes their password. As a result, these older tokens remain valid until their natural expiration and can continue to grant access to protected API endpoints, enabling persistent authenticated access despite the password update. The issue carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and was published on 2026-02-26.
An attacker requires low privileges (PR:L), such as those of an authenticated user who possesses a valid JWT token issued before the password change. Exploitation is possible remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows the attacker to maintain access to sensitive API endpoints, achieving high impacts on confidentiality (C:H) and integrity (I:H) by reading protected data or modifying resources, with no availability impact (A:N).
Mitigation is provided in Initiative version 0.32.4, which properly invalidates prior tokens upon password changes. Security practitioners should upgrade to this version or later, as outlined in the project's release notes (https://github.com/Morelitea/initiative/releases/tag/v0.32.4) and GitHub security advisory (https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3h).
Details
- CWE(s)