CVE-2026-28275
Last modified
CVE-2026-28275 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. EPSS estimates a 0.37% chance of exploitation in the next 30 days.
Description
Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Morelitea | Initiative | < 0.32.4 |
References
- https://github.com/Morelitea/initiative/releases/tag/v0.32.4Product, Release Notes
- https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3hExploit, Mitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-28275?
How severe is CVE-2026-28275?
How do I fix CVE-2026-28275?
Are you affected by CVE-2026-28275?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST