x/vulndb: potential Go vuln in github.com/daptin/daptin: GHSA-258c-965c-p3hc

[GoVulnBot]

Advisory GHSA-258c-965c-p3hc references a vulnerability in the following Go modules:

Module
github.com/daptin/daptin

Description:

Summary

A session invalidation vulnerability exists in daptin's authentication system where JSON Web Tokens (JWTs) remain fully valid after a user changes their password. The JWT validation middleware (CheckJWT) only verifies token signature, expiry, issuer, and signing algorithm — it does not check whether the token was issued before the most recent password change. The password update code path hashes the new password but never calls InvalidateAuthCacheForEmail() and never revokes or blacklists existing tokens. This effectively negating password rotation as an incident response co...

References:

• ADVISORY: GHSA-258c-965c-p3hc
• ADVISORY: GHSA-258c-965c-p3hc

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/daptin/daptin
      versions:
        - fixed: 0.11.8
      vulnerable_at: 0.11.7
summary: |-
    Daptin's Session Management Vulnerability Leads to Insufficient Session
    Expiration After Password Change in github.com/daptin/daptin
ghsas:
    - GHSA-258c-965c-p3hc
references:
    - advisory: https://github.com/advisories/GHSA-258c-965c-p3hc
    - advisory: https://github.com/daptin/daptin/security/advisories/GHSA-258c-965c-p3hc
source:
    id: GHSA-258c-965c-p3hc
    created: 2026-05-07T03:01:22.757773616Z
review_status: UNREVIEWED