Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local access and prior victim login interaction required (PR:L, UI:R); credentials fully exposed upon access (C:H/I:H), no availability impact.
Primary rating from Vendor (INCIBE).
CVSS VectorVendor: INCIBE
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
The system stores the username and password from the login form after submitting the request. This could allow an attacker with access to the platform to return to the browser and view the login credentials.
AnalysisAI
Credential exposure in Redmine allows any local attacker with access to a previously-used browser session to recover plaintext login credentials stored by the application after form submission. The flaw (CWE-257) affects all tracked Redmine versions per NVD CPE data and represents a classic insecure credential storage issue. No public exploit has been identified at time of analysis, and exploitation is constrained to local attack vectors requiring prior user interaction.
Technical ContextAI
CWE-257 (Storing Passwords in a Recoverable Format) describes the root cause: Redmine's login form retains submitted credentials in a browser-accessible, recoverable state after the authentication request is processed - likely via browser autocomplete persistence, form cache, or equivalent browser storage mechanism. The CPE string cpe:2.3:a:redmine:redmine:*:*:*:*:*:*:*:* covers all versions of the Redmine project management application. The vulnerability is application-layer: Redmine fails to clear or protect submitted form data post-submission, leaving credentials readable within the browser environment rather than being discarded after use.
RemediationAI
A vendor patch is available per the INCIBE advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/stored-credentials-redmine - administrators should consult this advisory and apply the patched Redmine release; the exact fixed version number is not independently confirmed from currently available data. As a compensating control pending patching, administrators should configure Redmine's login form with autocomplete='off' to prevent browser credential caching, though this depends on browser enforcement and may affect usability. Users on shared systems should manually clear browser-saved form data after each session. Organizations should enforce browser policies via GPO or MDM to disable credential autofill on sensitive internal applications. Restricting physical and session access to workstations used to access Redmine is the most effective short-term compensating control, with the trade-off of operational friction on shared infrastructure.
Open redirect vulnerability in the redirect_back_or_default function in app/controllers/application_controller.rb in Red
Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip. Rated medium se
Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by lev
In Redmine before 3.2.6 and 3.3.x before 3.3.3, remote attackers can obtain sensitive information (password reset tokens
Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles the rendering of wiki links, which allows remote attackers to obt
Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rendering in activity views, which allows remote attac
Redmine 5.x before 5.0.4 allows downloading of file attachments of any Issue or any Wiki page due to insufficient permis
Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user's
Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x b
Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal
Open redirect vulnerability in the valid_back_url function in app/controllers/application_controller.rb in Redmine befor
In Redmine before 3.2.6 and 3.3.x before 3.3.3, Redmine.pm lacks a check for whether the Repository module is enabled in
Same weakness CWE-257 – Storing Passwords in a Recoverable Format
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36424
GHSA-w8cj-56rx-3gpm