Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable OIDC callback with no attacker privileges (PR:N) but mandatory victim click (UI:R); login-CSRF yields high C/I via attacker-account session fixation and no availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Leantime contains an OIDC login CSRF vulnerability in the verifyState() method that unconditionally returns true without validating state parameters. Attackers can craft malicious callback URLs with attacker-controlled authorization codes to perform session fixation, logging victims in as the attacker.
AnalysisAI
Login CSRF (session fixation) in Leantime's OpenID Connect authentication flow allows an attacker to authenticate a victim into an attacker-controlled account. The root cause is a stubbed verifyState() method that unconditionally returns true, so the OIDC state parameter is never validated, letting a crafted callback URL carrying an attacker-supplied authorization code complete login as the attacker. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target Leantime instance is configured to use OIDC single sign-on - the vulnerable verifyState() path only executes in OIDC login flows, so instances using only local authentication are not affected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N (8.6 High) indicates network-reachable, low-complexity exploitation with no attacker privileges, but it explicitly requires passive user interaction (UI:P) - the victim must click a crafted callback link. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker initiates an OIDC login, captures their own valid authorization code, and embeds it in a crafted Leantime callback URL that they send to a victim via phishing. When the victim clicks the link, because verifyState() never checks the state parameter, Leantime completes the login and silently binds the victim's browser session to the attacker's account; any project data the victim subsequently enters is then accessible to the attacker. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - apply the fix from commit 9630eb7db682fb1b4e23cdabf3428d03ec6f5094 (https://github.com/Leantime/leantime/commit/9630eb7db682fb1b4e23cdabf3428d03ec6f5094), which restores real validation of the OIDC state parameter, and track the tagged release referenced in issue https://github.com/Leantime/leantime/issues/3535 before upgrading production. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Leantime instances in your environment and determine current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Leantime 3.0.6 is vulnerable to Cross Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is
Cross Site Scripting vulnerability in Leantime v3.0.6 allows attackers to execute arbitrary code via upload of crafted P
Leantime is an open source project management system. Rated medium severity (CVSS 6.5), this vulnerability is remotely e
In Leantime 3.0.6, a Cross-Site Scripting vulnerability exists within the ticket creation and modification functionality
Cross Site Scripting vulnerability in Leantime 3.0.6 allows a remote attacker to execute arbitrary code via the to-do ti
Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. Rated high severity (CVSS 8.8), this vu
Leantime 3.0.6 is vulnerable to HTML Injection via /dashboard/show#/tickets/newTicket. Rated medium severity (CVSS 4.7),
Credential disclosure in Leantime's JSON-RPC API allows an authenticated user to read any account's full credential row
Privilege escalation in Leantime up to 3.8.0 allows authenticated low-privileged users to elevate their role to owner by
Broken access control in Leantime's API component (versions up to 3.8.0) allows authenticated low-privileged users to in
Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary c
Leantime is a lean open source project management system. Rated medium severity (CVSS 5.4), this vulnerability is remote
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41941
GHSA-vwm8-rprj-29f7