CVE-2026-28275 is a vulnerability classified under CWE-613 (Insufficient Session Expiration) affecting the Morelitea initiative, a self-hosted project management platform. In versions prior to 0.32.4, when a user changes their password, the system fails to invalidate previously issued JSON Web Tokens (JWTs). These tokens remain valid until their natural expiration, allowing continued authenticated access to protected API endpoints despite the password change. This behavior undermines the security expectation that password changes should terminate all active sessions and tokens to prevent unauthorized access. The vulnerability has a CVSS 3.1 base score of 8.1, indicating high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality and integrity (C:H/I:H) but no impact on availability (A:N). The flaw could be exploited by an attacker who has obtained or intercepted a JWT prior to the password change, allowing them to maintain access to sensitive project management data and potentially manipulate or exfiltrate information. The issue was publicly disclosed on February 26, 2026, and fixed in version 0.32.4 of the initiative platform. No known exploits have been reported in the wild, but the vulnerability poses a significant risk to organizations relying on this platform for project management and collaboration.

The primary impact of this vulnerability is unauthorized persistent access to sensitive project management data and APIs even after a user changes their password. This undermines the confidentiality and integrity of organizational data, as attackers or malicious insiders can continue to access or manipulate information without re-authentication. Since the vulnerability affects JWT tokens, which are commonly used for stateless authentication, the risk extends to any environment where tokens are stored or transmitted insecurely. Organizations may face data breaches, intellectual property theft, or sabotage of project workflows. The lack of session invalidation also complicates incident response and recovery, as compromised tokens remain valid until expiration. Although availability is not directly affected, the trustworthiness of the platform is compromised, potentially leading to operational disruptions and reputational damage. The vulnerability is especially critical for organizations with sensitive or regulated data managed via the initiative platform.

Organizations should immediately upgrade the Morelitea initiative platform to version 0.32.4 or later, which addresses this vulnerability by properly invalidating JWT tokens upon password changes. Until the upgrade is applied, administrators should consider implementing manual token revocation mechanisms if supported, such as maintaining a token blacklist or reducing token lifetimes to minimize exposure. Monitoring and logging of API access using JWTs should be enhanced to detect suspicious activity involving old tokens. Additionally, enforcing multi-factor authentication (MFA) can reduce the risk of token compromise. Security teams should review their incident response plans to include token revocation strategies and educate users about the importance of password changes and session management. Network-level protections, such as IP whitelisting and anomaly detection, can provide additional layers of defense. Finally, organizations should audit their deployment configurations to ensure secure storage and transmission of JWTs to prevent interception.