Session does not expire on logout in plankanban/planka


Reported on

Aug 27th 2022


Existing session is not invalidated on actions like logout. The fact that the session key is valid for 1 year makes it more dangerous.

Proof of Concept

  1. Login to planka
  2. Record the session token
  3. Logout
  4. Replay an authenticated request with the recorded token. The actions will still be executed.


The session token is valid for a year. If an attacker has access to the session token then, the attacker can use it to access user account for an year.

We are processing your report and will contact the plankanban/planka team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a exists a year ago
We have contacted a member of the plankanban/planka team and are waiting to hear back a year ago
Maksim Eltyshev validated this vulnerability a year ago
Niraj Khatiwada has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the plankanban/planka team. We will try again in 7 days. a year ago
Maksim Eltyshev marked this as fixed in 1.8.0 with commit 810993 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation