CVE-2026-28275

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-28275
Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/Morelitea/initiative/releases/tag/v0.32.4 Product Release Notes
https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3h Exploit Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:morelitea:initiative:*:*:*:*:*:*:*:*
History

27 Feb 2026, 19:07

Type Values Removed Values Added
CPE cpe:2.3:a:morelitea:initiative:*:*:*:*:*:*:*:*
First Time Morelitea
Morelitea initiative
References () https://github.com/Morelitea/initiative/releases/tag/v0.32.4 - () https://github.com/Morelitea/initiative/releases/tag/v0.32.4 - Product, Release Notes
References () https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3h - () https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3h - Exploit, Mitigation, Vendor Advisory

27 Feb 2026, 14:06

Type Values Removed Values Added
Summary
  • (es) Initiative es una plataforma de gestión de proyectos autoalojada. Las versiones de la aplicación anteriores a la 0.32.4 no invalidan los tokens de acceso JWT emitidos previamente después de que un usuario cambia su contraseña. Como resultado, los tokens más antiguos permanecen válidos hasta su expiración y aún pueden utilizarse para acceder a puntos finales de API protegidos. Este comportamiento permite el acceso autenticado continuado incluso después de que la contraseña de la cuenta haya sido actualizada. La versión 0.32.4 corrige el problema.

26 Feb 2026, 23:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-26 23:16

Updated : 2026-02-27 19:07

NVD link : CVE-2026-28275

Mitre link : CVE-2026-28275

CVE.ORG link : CVE-2026-28275

JSON object : View

Products Affected

morelitea

  • initiative
CWE
CWE-613

Insufficient Session Expiration