CVE-2024-13996: 
Nagios XI vulnerability analysis and mitigation

Nagios XI versions prior to 2024R1.1.3 contained a session management vulnerability where user sessions were not properly invalidated after password changes. The vulnerability was discovered and disclosed on October 30, 2025, affecting all Nagios XI installations before version 2024R1.1.3 (VulnCheck Advisory).

The vulnerability is classified as CWE-613 (Insufficient Session Expiration) with a CVSS V4 Base Score of 9.2 Critical (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N). The core issue stems from the application's failure to properly manage session states after credential updates, allowing pre-existing sessions to remain valid even after a user's password has been changed (VulnCheck Advisory).

The vulnerability could allow attackers with access to a valid session to maintain unauthorized access to user accounts even after password changes. This poses significant risks to data confidentiality and integrity as malicious actors could continue to access and manipulate system resources despite attempted security measures like password resets (VulnCheck Advisory).

The vulnerability has been patched in Nagios XI version 2024R1.1.3. Organizations should upgrade to this version or later to address the session management issue. There are no documented workarounds, making the upgrade the only reliable mitigation strategy (Nagios Changelog).