<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Leantime (&lt;= 3.4.4) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/leantime--3.4.4/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 21:22:44 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/leantime--3.4.4/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-59712: Leantime JSON-RPC API Authorization Bypass Leads to Credential Disclosure</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59712-leantime-auth-bypass/</link><pubDate>Mon, 06 Jul 2026 21:22:44 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59712-leantime-auth-bypass/</guid><description>An authenticated user can exploit CVE-2026-59712, an authorization bypass vulnerability in Leantime's JSON-RPC API `Users::getUser` method, to retrieve sensitive user credential information including password hashes, TOTP secrets, and session tokens for any user, leading to account enumeration, offline password cracking, 2FA bypass, and session hijacking.</description><content:encoded><![CDATA[<p>CVE-2026-59712 describes a critical authorization bypass vulnerability in Leantime, an open-source project management system. The flaw exists within the <code>Users::getUser</code> method of its JSON-RPC API, where proper authorization checks are missing. This allows any authenticated user, regardless of their privilege level, to retrieve full user credential rows for any other user by simply providing arbitrary user IDs in the API call. This vulnerability was published to NVD on July 6, 2026, and impacts Leantime versions up to and including 3.4.4. Attackers can leverage this to enumerate all accounts on a compromised system, obtain sensitive data like password hashes, Time-based One-Time Password (TOTP) secrets, and session tokens, ultimately enabling sophisticated attacks such as offline password cracking, two-factor authentication bypass, and session hijacking. The exploitation of this vulnerability could lead to widespread unauthorized access and data exfiltration within an organization using Leantime.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker obtains initial access to the Leantime application through a low-privileged authenticated user account.</li>
<li>The attacker authenticates to the Leantime application using the compromised or created low-privileged credentials.</li>
<li>The attacker identifies the JSON-RPC API endpoint for user management.</li>
<li>The attacker crafts malicious JSON-RPC requests targeting the <code>users.getUser</code> method, specifying arbitrary <code>user_id</code> values.</li>
<li>Due to the authorization bypass (CVE-2026-59712), the API responds with full user credential rows, including password hashes, TOTP secrets, and session tokens, for the requested user IDs.</li>
<li>The attacker iteratively sends requests with different <code>user_id</code> values to enumerate and collect sensitive information for multiple or all users within the Leantime instance.</li>
<li>The collected password hashes are then subjected to offline password cracking attempts to recover plaintext passwords.</li>
<li>Recovered passwords, TOTP secrets, and session tokens enable the attacker to bypass multi-factor authentication, hijack active user sessions, and gain unauthorized access to other user accounts, potentially escalating privileges.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-59712 leads to complete compromise of user accounts within the affected Leantime instance. Attackers can gain unauthorized access to all projects, tasks, and sensitive data managed within the application, including those belonging to high-privileged users like administrators. The disclosure of password hashes, TOTP secrets, and session tokens provides avenues for persistent access, privilege escalation, and bypass of standard security controls such as two-factor authentication. This can result in significant data exfiltration, intellectual property theft, and broader organizational compromise if Leantime manages critical business processes or sensitive information. The specific number of victims will vary per affected organization, but all user accounts within a vulnerable instance are at risk of compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-59712 immediately</strong> by updating Leantime to a patched version beyond 3.4.4. Refer to the official Leantime GitHub repository for security updates and recommended mitigation steps.</li>
<li><strong>Monitor webserver logs</strong> for unusual HTTP POST requests to Leantime's JSON-RPC API endpoints, especially those targeting the <code>users.getUser</code> method with multiple or iterative <code>user_id</code> parameters from a single source IP or authenticated session.</li>
<li><strong>Implement network segmentation</strong> to restrict access to the Leantime application from untrusted networks and ensure the JSON-RPC API is not directly exposed to the internet if not strictly necessary.</li>
<li><strong>Rotate all user credentials and sessions</strong> for your Leantime instance after applying the patch, as existing credentials and session tokens might have been compromised.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>authorization-bypass</category><category>credential-disclosure</category><category>api-exploitation</category><category>web-vulnerability</category><category>cve</category></item></channel></rss>