Description
Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue.
Published: 2026-02-26
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized continued access after password change
Action: Immediate patch
AI Analysis

Impact

The vulnerability lies in an improper invalidation of JSON Web Tokens (JWTs) when a user changes their password. Previously issued tokens remain valid until they naturally expire, allowing an attacker who has acquired or guessed a token to continue accessing protected API endpoints even after the account credentials have been updated. This results in unauthorized authenticated access that could expose sensitive project data or allow further exploitation.

Affected Systems

The affected system is the Initiative project‑management platform from Morelitea. All releases before 0.32.4 are vulnerable; upgrading to 0.32.4 or later eliminates the flaw by invalidating existing tokens upon password change.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity; however, the EPSS score of less than 1% suggests a very low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers would need a valid JWT, which may be obtained through legitimate or malicious means, and then exploit the failure to refresh the token after a password change. The attack vector is inferred to be remote via the API, as the flaw pertains to token validity rather than code execution.

Generated by OpenCVE AI on April 18, 2026 at 17:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official vendor patch by upgrading Morelitea Initiative to version 0.32.4 or later
  • If an upgrade is delayed, manually revoke or delete all existing JWTs from the session store to force re‑authentication
  • Enable monitoring of API usage to detect any anomalous activity that could indicate misuse of still‑valid tokens

Generated by OpenCVE AI on April 18, 2026 at 17:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:morelitea:initiative:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Morelitea
Morelitea initiative
Vendors & Products Morelitea
Morelitea initiative

Thu, 26 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue.
Title Initiative Vulnerable to Improper Session Invalidation (JWT Remains Valid)
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Morelitea Initiative
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T17:44:23.728Z

Reserved: 2026-02-26T01:52:58.734Z

Link: CVE-2026-28275

cve-icon Vulnrichment

Updated: 2026-02-27T17:44:19.029Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T23:16:37.240

Modified: 2026-02-27T19:07:07.187

Link: CVE-2026-28275

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:45:06Z

Weaknesses