Description
Improper Restriction of Security Token Assignment vulnerability in Apache Answer.

This issue affects Apache Answer: through 2.0.0.

Previously issued administrative tokens were not invalidated after an administrator account was suspended, deleted, or deactivated, allowing continued access to administrative APIs until the token expired.
Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Published: 2026-06-10
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An administrative token that was issued before an account was suspended, deleted, or deactivated is not invalidated, allowing the token to continue granting access to administrative APIs until it expires. This flaw gives a user who already possesses a valid token the ability to maintain elevated privileges after the administrator account is no longer active, potentially enabling further unauthorized changes or data exfiltration.

Affected Systems

Apache Software Foundation’s Apache Answer is affected through version 2.0.0. No other vendors or product lines are listed as impacted.

Risk and Exploitability

The vulnerability is not listed in the CISA KEV catalog and EPSS data is not available, so the likelihood of widespread exploitation is unclear. However, the flaw can be leveraged by anyone who already holds a valid administrative token issued before account deactivation, since the token remains usable until its natural expiration. The attack requires no additional privileges beyond the existing token, making it a small‑to‑medium risk for systems still running vulnerable versions.

Generated by OpenCVE AI on June 10, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Answer to version 2.0.1 or later to obtain the token invalidation fix (addressing CWE‑1259).
  • Ensure all existing administrative tokens are revoked or rotated immediately when an administrator account is suspended, deleted, or deactivated.
  • Enable logging and monitor for administrative API calls and token usage to detect any continued activity after an account is disabled.

Generated by OpenCVE AI on June 10, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache answer
Vendors & Products Apache
Apache answer

Wed, 10 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Improper Restriction of Security Token Assignment vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. Previously issued administrative tokens were not invalidated after an administrator account was suspended, deleted, or deactivated, allowing continued access to administrative APIs until the token expired. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Title Apache Answer: AdminToken not invalidated after admin deactivation
Weaknesses CWE-1259
References

Subscriptions

Apache Answer
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-10T16:14:45.916Z

Reserved: 2026-02-05T12:42:39.832Z

Link: CVE-2026-25700

cve-icon Vulnrichment

Updated: 2026-06-10T16:13:43.662Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T16:16:58.743

Modified: 2026-06-10T18:35:49.083

Link: CVE-2026-25700

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T18:00:15Z

Weaknesses