The core of this vulnerability lies in the application's failure to invalidate a user's session upon password reset. This oversight allows an attacker, who has obtained session credentials (e.g., through XSS attacks, session fixation, or by accessing an unattended user's browser), to maintain access to the application even after the legitimate user has changed their password. This persistent access poses a significant security risk, as it effectively bypasses one of the common user-led security measures against unauthorized access.

An attacker gains access to a user's session credentials through any means (e.g., malware, session fixation). The legitimate user, suspecting unauthorized access, changes their password to secure their account. However, due to the application's failure to invalidate existing sessions upon password reset, the attacker can continue to access the user's account using the old session credentials. This scenario assumes the attacker has the means to intercept or obtain the session credentials before the password change.

Users of ZenML version 0.56.3, particularly those in environments where session credentials may be compromised or shared, are affected by this vulnerability. This includes environments with shared computers, those susceptible to XSS attacks, or any scenario where an attacker can gain access to session cookies.