CVE-2026-44394: Missing Token Expiry Propagation
When rescoping or mapping a new session context from an existing token, the original token's expiration time is not explicitly preserved. Failing to propagate the `expires_at` property can allow an attacker to indefinitely extend session lifetimes by repeatedly rescoping tokens before their explicit expiration.
Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0
Python
Pythongreprules fetch cve-2026-44394-missing-token-expiry-propagation --engine opengrepDescription
When rescoping or mapping a new session context from an existing token, the original token's expiration time is not explicitly preserved. Failing to propagate the `expires_at` property can allow an attacker to indefinitely extend session lifetimes by repeatedly rescoping tokens before their explicit expiration.
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0