Security advisories

Here you will find a list of vulnerabilities that have already been found and fixed in Contao. If you think that you have found a security issue in Contao, please report it according to our security policy.

Remember-me tokens are not cleared after a password change

by Leo Feyer

Date: 2024-04-09
CVE ID: CVE-2024-30262

When a front end member changes their password, the corresponding remember-me tokens are not removed.

Affected versions

Contao 4.0
Contao 4.1
Contao 4.2
Contao 4.3
Contao 4.4
Contao 4.5
Contao 4.6
Contao 4.7
Contao 4.8
Contao 4.9
Contao 4.10
Contao 4.11
Contao 4.12
Contao 4.13 up to 4.13.39

Suggested solution

Upgrade to Contao 4.13.40.


Disable "Allow auto login" in the login module.

More information

Show all security advisories