All vulnerability reports

Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19

Medium (Base score 6.3) CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CVE entry:


Authentication.logout() helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 (Vaadin 18), and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3) uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the user attempted to log out.

See CWE-613: Insufficient Session Expiration


The vulnerability applies to Fusion applications where the logout() helper method in the Authentication.ts module is used and Spring CSRF protection is enabled for logging out.

Spring Security by default enables CSRF protection. When CSRF is enabled, it only allows HTTP POST requests for logging out. The CSRF protection for logging out can be disabled as in this example, but it is not recommended. The Fusion logout() helper in Authentication.ts of affected versions uses HTTP GET request to do logout, which does not invalidate the session when the CSRF token is enabled.

To address the issue, it is recommended to update the Vaadin version to the aforementioned maintenance versions where the issue is fixed.

Affected products and mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version Mitigation
Vaadin 18 No longer supported; Upgrade to 19.0.4 or newer 19 version
Vaadin 19.0.0 - 19.0.3 Upgrade to 19.0.4 or newer 19 version

Please note that Vaadin 18 is no longer supported and you should update to the latest 19 version.


Maven coordinates Vulnerable version Fixed version
com.vaadin:flow-client 5.0 N/A
com.vaadin:flow-client 6.0.0 - 6.0.4 ≥ 6.0.5



  • 2021-04-20: Initial vulnerability report published