Skip to main content

Leantime CVE-2026-59712

| EUVDEUVD-2026-41942 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-06 VulnCheck GHSA-hphp-fmhr-5fqh
8.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Authenticated (PR:L) network call with no interaction reads all credentials, so C:H; the flaw itself only discloses data (takeover is downstream), so I:N and A:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 06, 2026 - 21:38 vuln.today

DescriptionCVE.org

Leantime's Users::getUser method in the JSON-RPC API lacks proper authorization checks, allowing authenticated users to retrieve full user credential rows including password hashes, TOTP secrets, and session tokens. Attackers can exploit this by calling users.getUser with arbitrary user IDs to enumerate all accounts and obtain credentials for offline password cracking, 2FA bypass, and session hijacking.

AnalysisAI

Credential disclosure in Leantime's JSON-RPC API allows an authenticated user to read any account's full credential row - password hashes, TOTP secrets, and session tokens - by invoking the users.getUser method with arbitrary user IDs (CWE-639, broken object-level authorization). Because the API returns records without verifying the caller owns or is authorized for the requested ID, a low-privileged user can enumerate and harvest credentials for every account, including administrators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged account
Delivery
Authenticate to JSON-RPC API
Exploit
Call users.getUser with arbitrary IDs
Execution
Enumerate all user credential rows
Persist
Crack hashes and steal session/TOTP secrets
Impact
Hijack administrator accounts

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session on the target Leantime instance (CVSS PR:L) and network reachability of the JSON-RPC API endpoint exposing the users.getUser method; the attacker then supplies arbitrary user IDs as the user-controlled key. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H) describes a network-reachable, low-complexity attack that requires only low privileges (PR:L) and no user interaction, yielding high confidentiality and integrity impact - score 8.6. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged Leantime user (or an attacker who has registered or phished any account) authenticates and issues repeated users.getUser JSON-RPC calls, incrementing the user ID to enumerate every account. Each response returns the target's password hash, TOTP secret, and session token, which the attacker uses for offline hash cracking, 2FA bypass, and direct session hijacking of an administrator. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the vendor fix delivered in commit 4f2612d13e0e8a2093092a846b44506cf133b671 (https://github.com/Leantime/leantime/commit/4f2612d13e0e8a2093092a846b44506cf133b671) by upgrading to the corresponding patched release once your version is confirmed to include it. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Apply vendor patch to Leantime across all instances. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-27474 HIGH POC
8.8 Apr 10

Leantime 3.0.6 is vulnerable to Cross Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is

CVE-2024-27705 HIGH POC
7.6 Apr 03

Cross Site Scripting vulnerability in Leantime v3.0.6 allows attackers to execute arbitrary code via upload of crafted P

CVE-2023-45826 MEDIUM POC
6.5 Oct 19

Leantime is an open source project management system. Rated medium severity (CVSS 6.5), this vulnerability is remotely e

CVE-2024-27477 MEDIUM POC
6.1 Apr 10

In Leantime 3.0.6, a Cross-Site Scripting vulnerability exists within the ticket creation and modification functionality

CVE-2024-27703 MEDIUM POC
5.4 Mar 13

Cross Site Scripting vulnerability in Leantime 3.0.6 allows a remote attacker to execute arbitrary code via the to-do ti

CVE-2020-5292 HIGH
8.8 Mar 31

Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. Rated high severity (CVSS 8.8), this vu

CVE-2024-27476 MEDIUM POC
4.7 Apr 10

Leantime 3.0.6 is vulnerable to HTML Injection via /dashboard/show#/tickets/newTicket. Rated medium severity (CVSS 4.7),

CVE-2026-59713 HIGH
8.6 Jul 06

Login CSRF (session fixation) in Leantime's OpenID Connect authentication flow allows an attacker to authenticate a vict

CVE-2026-15509 LOW POC
2.1 Jul 12

Privilege escalation in Leantime up to 3.8.0 allows authenticated low-privileged users to elevate their role to owner by

CVE-2026-15510 LOW POC
2.1 Jul 12

Broken access control in Leantime's API component (versions up to 3.8.0) allows authenticated low-privileged users to in

CVE-2025-28254 MEDIUM
5.4 Mar 28

Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary c

CVE-2023-33961 MEDIUM
5.4 May 30

Leantime is a lean open source project management system. Rated medium severity (CVSS 5.4), this vulnerability is remote

Share

CVE-2026-59712 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy