An authenticated session that was issued prior to a password reset or change remains valid, allowing an attacker who has already stolen that session cookie to continue accessing the compromised account. This flaw undermines the core security guarantee that a password change or reset invalidates all previous session credentials, potentially enabling ongoing exploitation and data theft, while also eroding the effectiveness of account recovery procedures. The weakness involves improper session invalidation and is classified as CWE‑613.

The vulnerability affects installations of the open‑source newsletter manager generically referred to as listmonk, from version 4.1.0 through versions just before 6.1.0. Updates in version 6.1.0 include a patch that ensures sessions are invalidated when the user’s password is changed or reset.

The CVSS score of 7.1 indicates a moderate to high severity, and while the EPSS score is unavailable, the flaw is straightforward to exploit remotely: an attacker with an existing valid session cookie can reuse it after the victim changes their password, because the application does not revoke or invalidate the cookie. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, but the absence of an EPSS does not preclude exploitation. System administrators should consider this a significant risk, especially in environments where sessions may be captured over insecure channels or where user credentials must be safeguarded after password changes.