High-Severity Memos Flaw (CVE-2024-21635) Allows Hackers to Stay Logged In After Password Change
Ddos 
The team behind Memos, the privacy-first, self-hosted knowledge base platform, has issued a security advisory for CVE-2024-21635, a session-management flaw that could allow attackers to maintain access to user accounts even after a password change. The vulnerability carries a CVSS score of 7.1, placing it in the high-severity category.
Memos describes itself as “a privacy-first, self-hosted knowledge base that works seamlessly for personal notes, team wikis, and knowledge management.” Built with Go and React, it emphasizes security and self-hosting control.
The problem centers around how Memos handles Access Tokens—the mechanism used to authenticate user sessions. According to the advisory, “When a user changes their password, the existing list of Access Tokens stay valid instead of expiring.”
This means that even if a user detects suspicious activity and resets their password, an attacker who already obtained a valid token would remain logged in. As the report explains, “The bad actor though will still have access to their account because the bad actor’s Access Token stays on the list as a valid token.”
To worsen the situation, the platform’s token list is difficult to audit: “The list of Access Tokens has a generic Description which makes it hard to pinpoint a bad actor.”
The advisory includes a simple Proof of Concept (PoC) involving two devices:
- Log into the same Memos account on Device A and Device B.
- Change the password on Device A.
- Device B remains logged in.
- Change the password on Device B.
- Device A still remains logged in.
This demonstrates that session tokens are not invalidated at any point during password resets. The advisory confirms, “Refresh the page on the 2nd device and notice how it doesn’t log out the user.”
This behavior contradicts modern security expectations, where password changes are expected to invalidate all active sessions.
The vulnerability poses a significant threat during account takeover events, “A bad actor will still have access to the user’s account because the Access Token does not expire on a password update.”
Even after a password reset, attackers could continue reading notes, modifying content, or accessing sensitive knowledge base information—especially in organizational or team-based deployments.
The vulnerability affects all builds up to and including v0.18.1. The advisory notes that the latest stable release is v0.25.2, which contains the fix.
The Memos team has corrected the issue by ensuring all existing sessions and tokens are invalidated immediately upon a password change: “All Access Tokens will need to be revoked when a user changes their password. This removes the session for all the user’s devices and prompts the user to log in again.”
This aligns Memos with industry-standard authentication practices and prevents lingering unauthorized access after credential updates.
Donate