Skip to main content

Leantime EUVDEUVD-2026-41941

| CVE-2026-59713 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-06 VulnCheck GHSA-vwm8-rprj-29f7
8.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable OIDC callback with no attacker privileges (PR:N) but mandatory victim click (UI:R); login-CSRF yields high C/I via attacker-account session fixation and no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 06, 2026 - 21:37 vuln.today

DescriptionCVE.org

Leantime contains an OIDC login CSRF vulnerability in the verifyState() method that unconditionally returns true without validating state parameters. Attackers can craft malicious callback URLs with attacker-controlled authorization codes to perform session fixation, logging victims in as the attacker.

AnalysisAI

Login CSRF (session fixation) in Leantime's OpenID Connect authentication flow allows an attacker to authenticate a victim into an attacker-controlled account. The root cause is a stubbed verifyState() method that unconditionally returns true, so the OIDC state parameter is never validated, letting a crafted callback URL carrying an attacker-supplied authorization code complete login as the attacker. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker starts OIDC flow, obtains own auth code
Delivery
Craft malicious Leantime callback URL
Exploit
Phish victim into clicking link
Execution
verifyState() stub skips state check
Persist
Victim's session fixed to attacker account
Impact
Attacker harvests victim-entered data

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Leantime instance is configured to use OIDC single sign-on - the vulnerable verifyState() path only executes in OIDC login flows, so instances using only local authentication are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N (8.6 High) indicates network-reachable, low-complexity exploitation with no attacker privileges, but it explicitly requires passive user interaction (UI:P) - the victim must click a crafted callback link. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker initiates an OIDC login, captures their own valid authorization code, and embeds it in a crafted Leantime callback URL that they send to a victim via phishing. When the victim clicks the link, because verifyState() never checks the state parameter, Leantime completes the login and silently binds the victim's browser session to the attacker's account; any project data the victim subsequently enters is then accessible to the attacker. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the fix from commit 9630eb7db682fb1b4e23cdabf3428d03ec6f5094 (https://github.com/Leantime/leantime/commit/9630eb7db682fb1b4e23cdabf3428d03ec6f5094), which restores real validation of the OIDC state parameter, and track the tagged release referenced in issue https://github.com/Leantime/leantime/issues/3535 before upgrading production. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Leantime instances in your environment and determine current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-27474 HIGH POC
8.8 Apr 10

Leantime 3.0.6 is vulnerable to Cross Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is

CVE-2024-27705 HIGH POC
7.6 Apr 03

Cross Site Scripting vulnerability in Leantime v3.0.6 allows attackers to execute arbitrary code via upload of crafted P

CVE-2023-45826 MEDIUM POC
6.5 Oct 19

Leantime is an open source project management system. Rated medium severity (CVSS 6.5), this vulnerability is remotely e

CVE-2024-27477 MEDIUM POC
6.1 Apr 10

In Leantime 3.0.6, a Cross-Site Scripting vulnerability exists within the ticket creation and modification functionality

CVE-2024-27703 MEDIUM POC
5.4 Mar 13

Cross Site Scripting vulnerability in Leantime 3.0.6 allows a remote attacker to execute arbitrary code via the to-do ti

CVE-2020-5292 HIGH
8.8 Mar 31

Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vulnerability. Rated high severity (CVSS 8.8), this vu

CVE-2024-27476 MEDIUM POC
4.7 Apr 10

Leantime 3.0.6 is vulnerable to HTML Injection via /dashboard/show#/tickets/newTicket. Rated medium severity (CVSS 4.7),

CVE-2026-59712 HIGH
8.6 Jul 06

Credential disclosure in Leantime's JSON-RPC API allows an authenticated user to read any account's full credential row

CVE-2026-15509 LOW POC
2.1 Jul 12

Privilege escalation in Leantime up to 3.8.0 allows authenticated low-privileged users to elevate their role to owner by

CVE-2026-15510 LOW POC
2.1 Jul 12

Broken access control in Leantime's API component (versions up to 3.8.0) allows authenticated low-privileged users to in

CVE-2025-28254 MEDIUM
5.4 Mar 28

Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary c

CVE-2023-33961 MEDIUM
5.4 May 30

Leantime is a lean open source project management system. Rated medium severity (CVSS 5.4), this vulnerability is remote

Share

EUVD-2026-41941 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy