PYSEC-2026-1463

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/infrahub-server/PYSEC-2026-1463.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1463
Aliases
Published
2026-07-07T16:03:04.718927Z
Modified
2026-07-07T17:47:15.591319861Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Infrahub: Deleted and expired API tokens can still authenticate
Details

Impact

A bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully.

Patches

This issue is fixed in versions 1.3.9 and 1.4.5

Workarounds

Users can delete or deactivate the account associated with a deleted API token to prevent that token from authenticating.

References

Affected packages

PyPI / infrahub-server

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.9
Introduced
1.4.0
Fixed
1.4.5

Affected versions

1.*
1.0.1
1.0.8
1.0.9
1.0.10
1.1.0b2
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.1.10
1.2.0b1
1.2.0rc0
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9rc0
1.2.9
1.2.10
1.2.11
1.2.12
1.3.0a0
1.3.0b1
1.3.0b2
1.3.0b3
1.3.0b5
1.3.0b6
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/infrahub-server/PYSEC-2026-1463.yaml"