CVE-2025-4644
Description
A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), and then delete the account, which did not invalidate the JWT. As a result, the next newly created user would receive the same identifier, allowing the attacker to reuse the JWT to authenticate and perform actions as that user. This issue has been fixed in version 3.44.0 of Payload.
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2025-4644? +
How do I check if I'm vulnerable to CVE-2025-4644? +
Related Vulnerabilities
When configured using SAML, a session fixation vulnerability in the GlobalProtect™ login enables an attacker to impersonate a legitimate authorized …
This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints …
Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and …
A malicious actor can fix the session of a PAM user by tricking the user to click on a specially …
An improper session validation allows an unauthenticated attacker to cause certain request notifications to be executed in the context of …
The Itel DAB Encoder (IDEnc build 25aec8d) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers …