How is CVE-2026-25700 exploited?

Network reachability (required): The vulnerable API endpoints are exposed over the network, so the attacker must be able to reach the Apache Answer service via HTTP/HTTPS. Authentication (required): A previously issued admin-level token is needed, though the token does not require an active account because it is never invalidated on deactivation. Victim interaction (not-required): No victim interaction is needed; the attacker makes direct API calls using the retained token. Attack complexity (info): The exploit is reliable and condition-free once the attacker holds a previously issued admin token, with no race conditions or environmental factors required.

What is the impact of CVE-2026-25700?

Reads any data accessible to an administrator, including user records, private content, and configuration secrets. Modifies or deletes persisted application data, site settings, and user account states. Disrupts service availability through administrative API actions such as bulk deletion or configuration corruption. Maintains persistent unauthorized access until the orphaned token reaches its natural expiry, potentially spanning hours or days.

Back to search

HIGHCVE-2026-25700Published 2026-06-10Modified 2026-06-10CNA apache

CVE-2026-25700: Apache Answer: AdminToken not invalidated after admin deactivation

Improper Restriction of Security Token Assignment vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. Previously issued administrative tokens were not invalidated after an administrator account was suspended, deleted, or deactivated, allowing continued access to administrative APIs until the token expired. Users are recommended to upgrade to version 2.0.1, which fixes the issue.

CVSS v3.1: 7.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication-bypass vulnerability in Apache Answer allows previously issued admin tokens to remain valid after the administrator account is suspended, deleted, or deactivated. The flaw is reachable over the network and requires a high-privilege (admin-level) token, but because that token is not invalidated on account deactivation, a former administrator retains full API access until the token naturally expires. Successful exploitation gives the attacker full read, write, and availability control over the application. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-25700 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle Apache Answer. Coverage applies to both registry scans and in-pipeline image checks at build time.

Available

Triage

Triage is available with a CVSS v3.1 score of 7.2 (HIGH), and per-environment compliance policy weighting can escalate or adjust the priority before routing the finding to the appropriate team inbox inside each customer organization.

Available

Patch

No upstream fix version has been published for this CVE yet. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released, with auto-remediation customers receiving a rebuild, regression run, and a PR opened against affected workloads at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable API endpoints are exposed over the network, so the attacker must be able to reach the Apache Answer service via HTTP/HTTPS.
AuthenticationRequired
A previously issued admin-level token is needed, though the token does not require an active account because it is never invalidated on deactivation.
Victim interactionNot required
No victim interaction is needed; the attacker makes direct API calls using the retained token.
Attack complexityDetail
The exploit is reliable and condition-free once the attacker holds a previously issued admin token, with no race conditions or environmental factors required.

Blast Radius

Reads any data accessible to an administrator, including user records, private content, and configuration secrets.
Modifies or deletes persisted application data, site settings, and user account states.
Disrupts service availability through administrative API actions such as bulk deletion or configuration corruption.
Maintains persistent unauthorized access until the orphaned token reaches its natural expiry, potentially spanning hours or days.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-25700 is active across all environments running Apache Answer at or below version 2.0.0. Because no upstream patch version has been published, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment an upstream fix appears. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads. While no patch is available, recommended compensating controls include network-policy isolation to restrict Apache Answer admin API endpoints to known management CIDRs only, egress filtering to limit lateral movement if a token is abused, and immediate manual revocation or rotation of all issued admin tokens for any account that has been suspended or removed.

See how HarborGuard automates this

Affected packages

Apache Software Foundation / Apache Answer
≤ 2.0.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

lists.apache.org

Metrics

Get notified