CVE-2024-21635: Memos' Access Tokens Stay Valid after User Password Change

November 14, 2025 (updated March 12, 2026)

Access Tokens are used to authenticate application access. When a user changes their password, the existing list of Access Tokens stay valid instead of expiring. If a user finds that their account has been compromised, they can update their password.

The bad actor though will still have access to their account because the bad actor’s Access Token stays on the list as a valid token. The user will have to manually delete the bad actor’s Access Token to secure their account. The list of Access Tokens has a generic Description which makes it hard to pinpoint a bad actor in a list of Access Tokens.

References

Code Behaviors & Features

Detect and mitigate CVE-2024-21635 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →