CVE-2025-57766
published 2025-09-08CVE-2025-57766: Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user password changes in Fides do not invalidate active user sessions…
PriorityP426medium4.8CVSS 3.1
AVNACHPRNUINSUCLILAN
EPSS
0.27%
19.2th percentile
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors (such as XSS) can maintain access even after password reset. This issue is not directly exploitable on its own and requires a prerequisite vulnerability to obtain valid session tokens in the first place. Version 2.69.1 fixes the issue. No known workarounds are available.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ethyca | fides | < 2.69.1 | 2.69.1 |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
nvdv4.01.7LOWCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Fides' Admin UI User Password Change Does Not Invalidate Current Session
ghsa·2025-09-08
CVE-2025-57766 [LOW] CWE-613 Fides' Admin UI User Password Change Does Not Invalidate Current Session
Fides' Admin UI User Password Change Does Not Invalidate Current Session
### Summary
Admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors (such as XSS) can maintain access even after password reset. This issue is not directly exploitable on its own and requires a prerequisite vulnerability to obtain valid session tokens in the first place.
### Details
Fides uses encrypted authentication tokens with extended expiration periods. When a password is changed via password reset endpoints, the system updates the password hash in the database but does not invalidate existing client sessions or tokens. The authentication system validates tokens b
OSV
Fides' Admin UI User Password Change Does Not Invalidate Current Session
osv·2025-09-08
CVE-2025-57766 [LOW] Fides' Admin UI User Password Change Does Not Invalidate Current Session
Fides' Admin UI User Password Change Does Not Invalidate Current Session
### Summary
Admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors (such as XSS) can maintain access even after password reset. This issue is not directly exploitable on its own and requires a prerequisite vulnerability to obtain valid session tokens in the first place.
### Details
Fides uses encrypted authentication tokens with extended expiration periods. When a password is changed via password reset endpoints, the system updates the password hash in the database but does not invalidate existing client sessions or tokens. The authentication system validates tokens b
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-08
Published