{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25700", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-02-05T12:42:39.832Z", "datePublished": "2026-06-10T14:57:00.853Z", "dateUpdated": "2026-06-10T16:14:45.916Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Answer", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.0.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Sho Odagiri"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Restriction of Security Token Assignment vulnerability in Apache Answer.</p><p>This issue affects Apache Answer: through 2.0.0.</p>Previously issued administrative tokens were not invalidated after an administrator account was suspended, deleted, or deactivated, allowing continued access to administrative APIs until the token expired.<br><p>Users are recommended to upgrade to version 2.0.1, which fixes the issue.</p>"}], "value": "Improper Restriction of Security Token Assignment vulnerability in Apache Answer.\n\nThis issue affects Apache Answer: through 2.0.0.\n\nPreviously issued administrative tokens were not invalidated after an administrator account was suspended, deleted, or deactivated, allowing continued access to administrative APIs until the token expired.\nUsers are recommended to upgrade to version 2.0.1, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1259", "description": "CWE-1259 Improper Restriction of Security Token Assignment", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-06-10T14:57:00.853Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/ftw52mlxknjm29vo1mnqovj53z2kh96y"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Answer: AdminToken not invalidated after admin deactivation", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-06-10T16:14:22.010124Z", "id": "CVE-2026-25700", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-10T16:14:45.916Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25700", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-10T16:14:22.010124Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-10T16:13:43.662Z"}}], "cna": {"title": "Apache Answer: AdminToken not invalidated after admin deactivation", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Sho Odagiri"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Answer", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/ftw52mlxknjm29vo1mnqovj53z2kh96y", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Restriction of Security Token Assignment vulnerability in Apache Answer.\n\nThis issue affects Apache Answer: through 2.0.0.\n\nPreviously issued administrative tokens were not invalidated after an administrator account was suspended, deleted, or deactivated, allowing continued access to administrative APIs until the token expired.\nUsers are recommended to upgrade to version 2.0.1, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Improper Restriction of Security Token Assignment vulnerability in Apache Answer.</p><p>This issue affects Apache Answer: through 2.0.0.</p>Previously issued administrative tokens were not invalidated after an administrator account was suspended, deleted, or deactivated, allowing continued access to administrative APIs until the token expired.<br><p>Users are recommended to upgrade to version 2.0.1, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1259", "description": "CWE-1259 Improper Restriction of Security Token Assignment"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-06-10T14:57:00.853Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25700", "state": "PUBLISHED", "dateUpdated": "2026-06-10T16:14:45.916Z", "dateReserved": "2026-02-05T12:42:39.832Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-06-10T14:57:00.853Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Restriction of Security Token Assignment vulnerability in Apache Answer.\n\nThis issue affects Apache Answer: through 2.0.0.\n\nPreviously issued administrative tokens were not invalidated after an administrator account was suspended, deleted, or deactivated, allowing continued access to administrative APIs until the token expired.\nUsers are recommended to upgrade to version 2.0.1, which fixes the issue."}], "id": "CVE-2026-25700", "lastModified": "2026-06-10T18:35:49.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-06-10T16:16:58.743", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/ftw52mlxknjm29vo1mnqovj53z2kh96y"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1259"}], "source": "security@apache.org", "type": "Secondary"}]}

{}