Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
Initiative Project Management Platform: Password Change Token Risk
CVE-2026-28275
Summary
Old passwords could still be used to access the platform even after updating to a new password. This is a risk because it means an attacker could potentially continue to access the system after a user has changed their password. Update to version 0.32.4 to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| morelitea | initiative | <= 0.32.4 | – |
Original title
Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a ...
Original description
Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue.
nvd CVSS3.1
8.1
Vulnerability type
CWE-613
- https://github.com/Morelitea/initiative/releases/tag/v0.32.4 Product Release Notes
- https://github.com/Morelitea/initiative/security/advisories/GHSA-hww6-3fww-xw3h Exploit Mitigation Vendor Advisory
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026