Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges.
Articles & Coverage 1
AnalysisAI
Authentication bypass in V2Board 1.6.1-1.7.4 and Xboard ≤0.1.9 enables unauthenticated account takeover including admin privileges. When login_with_mail_link_enable is active, attackers POST known email addresses to the loginWithMailLink endpoint, receiving full authentication URLs in HTTP responses. Tokens extracted from these URLs are exchanged at token2Login for valid bearer tokens granting complete account access. Publicly available exploit code exists. CVSS 9.1 critical severity reflects network-accessible attack with no user interaction required.
Technical ContextAI
CWE-201 information exposure via authentication token leakage in response bodies. AuthController.php and MailLinkService.php return sensitive tokens directly in loginWithMailLink responses instead of transmitting via secure email channels. PR:N confirms unauthenticated exploitation; attackers enumerate valid emails and extract tokens from JSON responses without SMTP interception.
RemediationAI
Vendor-released patches: Upgrade V2Board to version addressing GitHub PR #981 or apply commit fixes from upstream repository. Upgrade Xboard to commit 121511523f04882ec0c7447acd9b8ebcb8a47957 or later patched release incorporating PR #873. If immediate upgrade is impossible, disable login_with_mail_link_enable feature in application configuration to eliminate the attack vector. Rotate all existing authentication tokens and audit access logs for unauthorized sessions created via loginWithMailLink or token2Login endpoints. Review VulnCheck advisory for additional mitigation guidance: https://www.vulncheck.com/advisories/v2board-xboard-authentication-token-exposure-via-loginwithmaillink. Validate patch deployment by confirming tokens no longer appear in loginWithMailLink HTTP responses.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21043
GHSA-83h9-46h8-whf4