PYSEC-2026-2069

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/zenml/PYSEC-2026-2069.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2069
Aliases
Published
2026-07-07T14:34:34.551064Z
Modified
2026-07-07T17:47:57.055710126Z
Severity
  • 3.9 (Low) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
  • 2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
zenml-io/zenml does not expire the session after password reset
Details

A vulnerability in zenml-io/zenml version 0.56.3 allows attackers to reuse old session credentials or session IDs due to insufficient session expiration. Specifically, the session does not expire after a password change, enabling an attacker to maintain access to a compromised account without the victim's ability to revoke this access. This issue was observed in a self-hosted ZenML deployment via Docker, where after changing the password from one browser, the session remained active and usable in another browser without requiring re-authentication.

References

Affected packages

PyPI / zenml

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.56.3

Affected versions

0.*
0.0.1rc1
0.0.1rc2
0.1.0
0.1.1
0.1.2
0.1.3rc0
0.1.3
0.1.4
0.1.5
0.2.0rc1
0.2.0rc2
0.2.0
0.3.1rc0
0.3.1
0.3.2
0.3.3rc0
0.3.3
0.3.4rc0
0.3.4
0.3.5rc0
0.3.5
0.3.6rc0
0.3.6
0.3.6.1
0.3.7rc0
0.3.7
0.3.7.1rc0
0.3.7.1rc1
0.3.7.1rc3
0.3.7.1rc4
0.3.8
0.3.9rc1
0.3.9rc2
0.5.0rc1
0.5.0rc2
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.6.0
0.6.1
0.6.2
0.6.3
0.7.0
0.7.1
0.7.2
0.7.3
0.8.0
0.8.1rc0
0.8.1
0.9.0
0.10.0
0.11.0
0.12.0
0.13.0
0.13.1
0.13.2
0.20.0rc1
0.20.0
0.20.1
0.20.2
0.20.3
0.20.4
0.20.5
0.21.0
0.21.1
0.22.0
0.23.0
0.30.0rc0
0.30.0rc1
0.30.0rc2
0.30.0rc3
0.30.0
0.31.0
0.31.1
0.32.0
0.32.1
0.33.0
0.34.0
0.35.0
0.35.1
0.36.0
0.36.1
0.37.0
0.38.0
0.39.0
0.39.1
0.40.0
0.40.1
0.40.2
0.40.3
0.41.0
0.42.0
0.42.1
0.42.2
0.43.0
0.43.1
0.44.0
0.44.1
0.44.2
0.44.3
0.44.4
0.45.0
0.45.1
0.45.2
0.45.3
0.45.4
0.45.5
0.45.6
0.46.0
0.46.1
0.47.0
0.50.0
0.51.0
0.52.0
0.53.0
0.53.1
0.54.0
0.54.1
0.55.0
0.55.1
0.55.2
0.55.3
0.55.4
0.55.5
0.56.0
0.56.1
0.56.2
0.56.3

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/zenml/PYSEC-2026-2069.yaml"