Description
Improper Restriction of Security Token Assignment vulnerability in Apache Answer.

This issue affects Apache Answer: through 2.0.0.

Previously issued administrative tokens were not invalidated after an administrator account was suspended, deleted, or deactivated, allowing continued access to administrative APIs until the token expired.
Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Published: 2026-06-10
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An administrative token that was issued before an account was suspended, deleted, or deactivated is not invalidated, allowing the token to continue granting access to administrative APIs until it expires. This flaw gives a user who already possesses a valid token the ability to maintain elevated privileges after the administrator account is no longer active, potentially enabling further unauthorized changes or data exfiltration.

Affected Systems

Apache Software Foundation’s Apache Answer is affected through version 2.0.0. No other vendors or product lines are listed as impacted.

Risk and Exploitability

With a CVSS score of 7.2, the vulnerability is assessed as medium‑high severity. The vulnerability is not listed in the CISA KEV catalog and EPSS data is not available, so the likelihood of widespread exploitation is unclear. However, the flaw can be leveraged by anyone who already holds a valid administrative token issued before account deactivation, since the token remains usable until its natural expiration. The attack requires no additional privileges beyond the existing token, making it a small‑to‑medium risk for systems still running vulnerable versions.

Generated by OpenCVE AI on June 10, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Answer to version 2.0.1 or later to ensure that administrative tokens are revoked when an account is deactivated.
  • After upgrading, review all existing administrative tokens and revoke or rotate them immediately to eliminate any lingering valid tokens.
  • Verify that future releases or custom account‑deactivation scripts automatically invalidate tokens, and configure monitoring to alert on any administrative API calls made with expired or revoked tokens.

Generated by OpenCVE AI on June 10, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 01:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:answer:*:*:*:*:*:*:*:*

Wed, 10 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache answer
Vendors & Products Apache
Apache answer

Wed, 10 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 10 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Improper Restriction of Security Token Assignment vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. Previously issued administrative tokens were not invalidated after an administrator account was suspended, deleted, or deactivated, allowing continued access to administrative APIs until the token expired. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Title Apache Answer: AdminToken not invalidated after admin deactivation
Weaknesses CWE-1259
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-19T05:45:50.544Z

Reserved: 2026-02-05T12:42:39.832Z

Link: CVE-2026-25700

cve-icon Vulnrichment

Updated: 2026-06-19T05:45:50.544Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T16:16:58.743

Modified: 2026-06-12T00:50:20.123

Link: CVE-2026-25700

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T19:30:37Z

Weaknesses
  • CWE-1259

    Improper Restriction of Security Token Assignment