CVE-2024-21635: Memos' Access Tokens Stay Valid after User Password Change

November 14, 2025

Access Tokens are used to authenticate application access. When a user changes their password, the existing list of Access Tokens stay valid instead of expiring. If a user finds that their account has been compromised, they can update their password.

The bad actor though will still have access to their account because the bad actor’s Access Token stays on the list as a valid token. The user will have to manually delete the bad actor’s Access Token to secure their account. The list of Access Tokens has a generic Description which makes it hard to pinpoint a bad actor in a list of Access Tokens.

References

github.com/advisories/GHSA-mr34-8733-grr2
github.com/usememos/memos
github.com/usememos/memos/security/advisories/GHSA-mr34-8733-grr2
nvd.nist.gov/vuln/detail/CVE-2024-21635
owasp.org/Top10/A04_2021-Insecure_Design

Code Behaviors & Features

Detect and mitigate CVE-2024-21635 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →