Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable JSON-RPC endpoint, low complexity; PR:L because a valid account is required; C:H/I:H because owner-role access exposes all project data and permits arbitrary user/data modification.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability has been found in Leantime up to 3.8.0. This impacts the function editUser/addUser of the component JSON-RPC Endpoint. The manipulation of the argument role leads to improper authorization. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Privilege escalation in Leantime up to 3.8.0 allows authenticated low-privileged users to elevate their role to owner by manipulating the role argument in JSON-RPC requests to the editUser/addUser endpoint. The server fails to verify whether the calling user is authorized to assign elevated roles, a CWE-285 Improper Authorization flaw. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must possess a valid authenticated Leantime account with at least low-level privileges (PR:L per the CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) scores 5.3 (Medium), but the impact metrics VC:L/VI:L/VA:L appear understated given that successful exploitation yields owner-level access - a full privilege escalation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains a low-privileged Leantime account, then crafts a JSON-RPC request targeting the editUser or addUser function with the role argument set to the owner value. The server processes the request without validating whether the caller is permitted to assign that role, granting the attacker owner-level privileges. … |
| Remediation | No vendor-released patch has been identified at time of analysis - the vendor did not respond to the coordinated disclosure. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Leantime 3.0.6 is vulnerable to Cross Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is
Cross Site Scripting vulnerability in Leantime v3.0.6 allows attackers to execute arbitrary code via upload of crafted P
Leantime is an open source project management system. Rated medium severity (CVSS 6.5), this vulnerability is remotely e
In Leantime 3.0.6, a Cross-Site Scripting vulnerability exists within the ticket creation and modification functionality
Cross Site Scripting vulnerability in Leantime 3.0.6 allows a remote attacker to execute arbitrary code via the to-do ti
Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. Rated high severity (CVSS 8.8), this vu
Leantime 3.0.6 is vulnerable to HTML Injection via /dashboard/show#/tickets/newTicket. Rated medium severity (CVSS 4.7),
Credential disclosure in Leantime's JSON-RPC API allows an authenticated user to read any account's full credential row
Login CSRF (session fixation) in Leantime's OpenID Connect authentication flow allows an attacker to authenticate a vict
Broken access control in Leantime's API component (versions up to 3.8.0) allows authenticated low-privileged users to in
Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary c
Leantime is a lean open source project management system. Rated medium severity (CVSS 5.4), this vulnerability is remote
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43250
GHSA-q4cr-cr7q-hp2f