CWE-613: Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Last updated
Overview
CWE-613 (Insufficient Session Expiration) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
391 recorded CVEs are caused by CWE-613 (Insufficient Session Expiration). The highest-severity and most recent are shown first. 118 new CWE-613 CVEs have been recorded so far in 2026 (83 in 2025).
- CVE-2024-8888Critical · CVSS 10.0 · EPSS 34th2024-09-18
- CVE-2026-28564
Apache IoTDB: REST Basic Authentication Accepts Stale Cached Credentials
Critical · CVSS 9.8 · EPSS 29th2026-07-10 - CVE-2026-46455
Apache Camel: Camel-Keycloak: The access-token validity window is not verified because the IS_ACTIVE check is missing from the TokenVerifier, allowing expired tokens to be accepted
Critical · CVSS 9.8 · EPSS 33th2026-07-06