CVE-2025-59786 MEDIUM

CVE-2025-59786: Cookies are not Invalidated upon Logout and Password Change

Vendor 2N Telekomunikace A.s.
Product 2N Access Commander
Weakness CWE-613 · Insufficient session expiration
Published March 4, 2026
Last update March 4, 2026

CVSS base score

6.0/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

2N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after logout in web application.

Key dates

02Disclosure timeline

March 4, 2026 CVE published
March 4, 2026 Record updated