Session does not expire on logout in plankanban/planka


Reported on

Aug 27th 2022


Existing session is not invalidated on actions like logout. The fact that the session key is valid for 1 year makes it more dangerous.

Proof of Concept

  1. Login to planka
  2. Record the session token
  3. Logout
  4. Replay an authenticated request with the recorded token. The actions will still be executed.


The session token is valid for a year. If an attacker has access to the session token then, the attacker can use it to access user account for an year.

We are processing your report and will contact the plankanban/planka team within 24 hours. a month ago
We have contacted a member of the plankanban/planka team and are waiting to hear back a month ago
Maksim Eltyshev validated this vulnerability a month ago
nerrorsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the plankanban/planka team. We will try again in 7 days. a month ago
Maksim Eltyshev confirmed that a fix has been merged on 810993 24 days ago
The fix bounty has been dropped
to join this conversation