We found results for “


Date: November 16, 2021


In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insufficient Session Expiration. When a user’s password is changed by the administrator, the session isn’t invalidated, allowing a malicious user to still be logged in and perform arbitrary actions within the system.


The session management functionality of ArangoDB users works in a manner where it fails to invalidate a session (for a user) even after the password is changed by the admin. This flaw allows a user to be logged and perform functions; wherein the current user session must be invalidated immediately after the admin changes the user password.

PoC Details

Login with a user in a browser in Incognito Mode.
Login with an administrator in a normal window. Go to "Users" on the left tab to manage your user that you are logged in with in the incognito window. Change the user's password.
Now go back to the user's session. It is observed that the user is still able to access all pages in the current session, even after the admin has changed the password of the user. This verifies that the user session doesn’t get invalidated even after initiating “Edit user Password” by the admin.

Affected Environments

v3.7.6 through v3.8.3


Upgrade to version v3.9.0-alpha.1 or later

Language: C++

Good to know:


Insufficient Session Expiration


Upgrade Version

Upgrade to version v3.9.0-alpha.1

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): Single
Confidentiality (C): Partial
Integrity (I): Partial
Availability (A): Partial
Additional information: