Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Authenticated (PR:L) network call with no interaction reads all credentials, so C:H; the flaw itself only discloses data (takeover is downstream), so I:N and A:N.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Leantime's Users::getUser method in the JSON-RPC API lacks proper authorization checks, allowing authenticated users to retrieve full user credential rows including password hashes, TOTP secrets, and session tokens. Attackers can exploit this by calling users.getUser with arbitrary user IDs to enumerate all accounts and obtain credentials for offline password cracking, 2FA bypass, and session hijacking.
AnalysisAI
Credential disclosure in Leantime's JSON-RPC API allows an authenticated user to read any account's full credential row - password hashes, TOTP secrets, and session tokens - by invoking the users.getUser method with arbitrary user IDs (CWE-639, broken object-level authorization). Because the API returns records without verifying the caller owns or is authorized for the requested ID, a low-privileged user can enumerate and harvest credentials for every account, including administrators. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session on the target Leantime instance (CVSS PR:L) and network reachability of the JSON-RPC API endpoint exposing the users.getUser method; the attacker then supplies arbitrary user IDs as the user-controlled key. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H) describes a network-reachable, low-complexity attack that requires only low privileges (PR:L) and no user interaction, yielding high confidentiality and integrity impact - score 8.6. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged Leantime user (or an attacker who has registered or phished any account) authenticates and issues repeated users.getUser JSON-RPC calls, incrementing the user ID to enumerate every account. Each response returns the target's password hash, TOTP secret, and session token, which the attacker uses for offline hash cracking, 2FA bypass, and direct session hijacking of an administrator. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - apply the vendor fix delivered in commit 4f2612d13e0e8a2093092a846b44506cf133b671 (https://github.com/Leantime/leantime/commit/4f2612d13e0e8a2093092a846b44506cf133b671) by upgrading to the corresponding patched release once your version is confirmed to include it. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Apply vendor patch to Leantime across all instances. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Leantime 3.0.6 is vulnerable to Cross Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is
Cross Site Scripting vulnerability in Leantime v3.0.6 allows attackers to execute arbitrary code via upload of crafted P
Leantime is an open source project management system. Rated medium severity (CVSS 6.5), this vulnerability is remotely e
In Leantime 3.0.6, a Cross-Site Scripting vulnerability exists within the ticket creation and modification functionality
Cross Site Scripting vulnerability in Leantime 3.0.6 allows a remote attacker to execute arbitrary code via the to-do ti
Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. Rated high severity (CVSS 8.8), this vu
Leantime 3.0.6 is vulnerable to HTML Injection via /dashboard/show#/tickets/newTicket. Rated medium severity (CVSS 4.7),
Login CSRF (session fixation) in Leantime's OpenID Connect authentication flow allows an attacker to authenticate a vict
Privilege escalation in Leantime up to 3.8.0 allows authenticated low-privileged users to elevate their role to owner by
Broken access control in Leantime's API component (versions up to 3.8.0) allows authenticated low-privileged users to in
Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary c
Leantime is a lean open source project management system. Rated medium severity (CVSS 5.4), this vulnerability is remote
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41942
GHSA-hphp-fmhr-5fqh