CVE-2026-25700
Apache Answer: AdminToken not invalidated after admin deactivation
In short
When an administrator account is deactivated or deleted in Apache Answer, their security tokens remain valid and can still be used to access admin functions. This means a former admin could keep using their old access credentials even after being removed.
Technical detail
Apache Answer fails to invalidate previously issued admin tokens when an administrator account is suspended, deleted, or deactivated (CWE-1259: Improper Restriction of Security Token Assignment). An attacker possessing a valid admin token from a deactivated account can continue accessing administrative APIs until natural token expiration, bypassing intended access revocation.
Summary generated and translated by AI from the official description.
Improper Restriction of Security Token Assignment vulnerability in Apache Answer.
This issue affects Apache Answer: through 2.0.0.
Previously issued administrative tokens were not invalidated after an administrator account was suspended, deleted, or deactivated, allowing continued access to administrative APIs until the token expired.
Users are recommended to upgrade to version 2.0.1, which fixes the issue.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products
Apache Software Foundation · Apache AnswerWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →