We recently discovered a vulnerability in Mender Enterprise, and we have now fixed it.
When the useradm service was configured to cache the user's JWT token verification, the token wasn't fully invalidated on log out, making it possible to issue new API calls to the backend despite being logged out. The security issue affects Mender Enterprise 2.6.0 and 2.7.0, and we fixed it in Mender Enterprise 2.6.1 and 2.7.1. Open-source versions of Mender are not affected, as they do not include the caching features.
This is a companion discussion topic for the original entry at https://mender.io/blog/cve-2021-35342-useradm-logout-vulnerabililty