A critical security vulnerability has been disclosed in the Apache Roller open-source, Java-based blogging server software that could allow malicious actors to retain unauthorized access even after a password change. The flaw, assigned the CVE identifier CVE-2025-24859, carries a CVSS score of 10.0, indicating maximum severity. It affects all versions of Roller up to and including 6.1.4. Successful exploitation of the flaw could enable an attacker to maintain continued access to the application through old sessions even after password changes. It could also enable unfettered access if credentials were compromised. The shortcoming has been addressed in version 6.1.5 by implementing centralized session management such that all active sessions are invalidated when passwords are changed or users are disabled.

‍