Home / Vulnerability Intelligence / CVE-2026-28275

CVE-2026-28275 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: February 27, 2026

Initiative - Authentication Bypass

Published: February 26, 2026Updated: February 27, 2026PoC AvailableRemote Exploitable

Overview

Initiative < 0.32.4 contains a broken authentication caused by failure to invalidate JWT access tokens after password change, letting attackers continue authenticated access, exploit requires valid token before password change.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 3.1%(Probability of exploitation in next 30 days)

Impact

Attackers can use old JWT tokens to access protected endpoints even after password change, risking unauthorized access.

Mitigation

Upgrade to version 0.32.4 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 27, 2026

🟠 CVE-2026-28275 - High (8.1) Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28275/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28275
Severity: High
CVSS Score: 8.1
Type: broken_authentication
Status: confirmed
EPSS: 3.1%
Social Posts: 1

CWE

CWE-613

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score

3.1%Probability of exploitation in the next 30 days