Skip to main content

Leantime CVE-2026-15510

| EUVDEUVD-2026-43251 LOW
Improper Authorization (CWE-285)
2026-07-12 VulDB GHSA-wf63-vfx8-m795
2.1
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
2.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Network-accessible API requiring a low-privilege account (PR:L); settings write yields limited integrity and confidentiality impact; no availability or scope-change impact identified.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
Jul 12, 2026 - 23:22 NVD
MEDIUM LOW
CVSS changed
Jul 12, 2026 - 23:22 NVD
5.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
Jul 12, 2026 - 23:17 vuln.today

DescriptionCVE.org

A vulnerability was found in Leantime up to 3.8.0. Affected is the function Setting::saveSetting of the component API. The manipulation results in improper authorization. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Broken access control in Leantime's API component (versions up to 3.8.0) allows authenticated low-privileged users to invoke the Setting::saveSetting function and modify application settings beyond their authorization level. The flaw is classified under CWE-285 (Improper Authorization) and is tagged as an authentication bypass and broken access control issue, meaning the application fails to enforce permission boundaries after login. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege Leantime credentials
Delivery
Send crafted POST to Setting::saveSetting API endpoint
Exploit
Application skips authorization check
Execution
Overwrite restricted application settings
Impact
Achieve unauthorized configuration control

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with at least a low-privilege account on the target Leantime instance (CVSS PR:L confirmed). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.3 (Medium) reflects a network-accessible, low-complexity, low-privilege attack path with limited impact across confidentiality, integrity, and availability (VC:L/VI:L/VA:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a standard low-privilege Leantime user account (such as a regular team member or guest) sends a crafted API request to the Setting::saveSetting endpoint, omitting or bypassing the expected authorization check. Because the function does not properly validate that the calling user holds the required administrative role, the request succeeds and the attacker can overwrite application settings - potentially redirecting integrations, altering notification addresses, or degrading application behavior. …
Remediation No vendor-released patch or fixed version has been identified at time of analysis - the vendor did not respond to the initial disclosure. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-27474 HIGH POC
8.8 Apr 10

Leantime 3.0.6 is vulnerable to Cross Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is

CVE-2024-27705 HIGH POC
7.6 Apr 03

Cross Site Scripting vulnerability in Leantime v3.0.6 allows attackers to execute arbitrary code via upload of crafted P

CVE-2023-45826 MEDIUM POC
6.5 Oct 19

Leantime is an open source project management system. Rated medium severity (CVSS 6.5), this vulnerability is remotely e

CVE-2024-27477 MEDIUM POC
6.1 Apr 10

In Leantime 3.0.6, a Cross-Site Scripting vulnerability exists within the ticket creation and modification functionality

CVE-2024-27703 MEDIUM POC
5.4 Mar 13

Cross Site Scripting vulnerability in Leantime 3.0.6 allows a remote attacker to execute arbitrary code via the to-do ti

CVE-2020-5292 HIGH
8.8 Mar 31

Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. Rated high severity (CVSS 8.8), this vu

CVE-2024-27476 MEDIUM POC
4.7 Apr 10

Leantime 3.0.6 is vulnerable to HTML Injection via /dashboard/show#/tickets/newTicket. Rated medium severity (CVSS 4.7),

CVE-2026-59712 HIGH
8.6 Jul 06

Credential disclosure in Leantime's JSON-RPC API allows an authenticated user to read any account's full credential row

CVE-2026-59713 HIGH
8.6 Jul 06

Login CSRF (session fixation) in Leantime's OpenID Connect authentication flow allows an attacker to authenticate a vict

CVE-2026-15509 LOW POC
2.1 Jul 12

Privilege escalation in Leantime up to 3.8.0 allows authenticated low-privileged users to elevate their role to owner by

CVE-2025-28254 MEDIUM
5.4 Mar 28

Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary c

CVE-2023-33961 MEDIUM
5.4 May 30

Leantime is a lean open source project management system. Rated medium severity (CVSS 5.4), this vulnerability is remote

Share

CVE-2026-15510 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy