Skip to main content

Listmonk CVE-2026-34584

| EUVDEUVD-2026-18450 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-02 GitHub_M
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
6.1.0
EUVD ID Assigned
Apr 02, 2026 - 18:15 euvd
EUVD-2026-18450
Analysis Generated
Apr 02, 2026 - 18:15 vuln.today
CVE Published
Apr 02, 2026 - 17:31 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, bugs in list permission checks allows users in a multi-user environment to access to lists (which they don't have access to) under different scenarios. This only affects multi-user environments with untrusted users. This issue has been patched in version 6.1.0.

AnalysisAI

Listmonk versions 4.1.0 through 6.0.x contain authorization bypass vulnerabilities in list permission checks that allow authenticated users in multi-user environments to access mailing lists they should not have access to. The vulnerability affects only self-hosted deployments with multiple untrusted users and has been patched in version 6.1.0. No public exploit code or active exploitation has been identified at this time.

Technical ContextAI

Listmonk is a self-hosted newsletter and mailing list management application. The vulnerability stems from improper authorization controls (CWE-639: Authorization Bypass Through User-Controlled Key) in the list permission validation logic. In multi-user environments where different users should have isolated or role-based access to specific mailing lists, the application fails to properly enforce these access controls across different scenarios. This allows an authenticated user to directly access or manipulate lists owned by or assigned to other users by circumventing or bypassing the permission checks. The affected CPE (cpe:2.3:a:knadh:listmonk:*:*:*:*:*:*:*:*) indicates the vulnerability impacts the Knadh Listmonk product across a range of versions.

RemediationAI

Upgrade Listmonk to version 6.1.0 or later to apply the patch. This is the primary and recommended remediation. Organizations unable to upgrade immediately should restrict access to the Listmonk instance to trusted users only and disable multi-user functionality if possible, though this is a temporary mitigation rather than a complete fix. For detailed upgrade instructions and full advisory information, consult the GitHub security advisory at https://github.com/knadh/listmonk/security/advisories/GHSA-85j8-5c6w-gcpv and the release notes for version 6.1.0 at https://github.com/knadh/listmonk/releases/tag/v6.1.0.

Share

CVE-2026-34584 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy