{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/leantime/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-59713"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Leantime"],"_cs_severities":["high"],"_cs_tags":["csrf","oidc","session-fixation","web-application","vulnerability","leantime"],"_cs_type":"advisory","_cs_vendors":["Leantime"],"content_html":"\u003cp\u003eA significant security vulnerability, CVE-2026-59713, has been disclosed in Leantime, an open-source project management system. This high-severity flaw (CVSS v3.1 Base Score: 8.1) exists within the OpenID Connect (OIDC) login mechanism, specifically in the \u003ccode\u003everifyState()\u003c/code\u003e method. The method is designed to validate state parameters to prevent Cross-Site Request Forgery (CSRF) attacks but unconditionally returns \u003ccode\u003etrue\u003c/code\u003e, effectively bypassing this crucial security check. Attackers can exploit this by pre-authenticating to Leantime via OIDC and then crafting a malicious callback URL containing their own valid authorization code. By tricking a victim into clicking this URL, the victim is inadvertently logged into the attacker's Leantime session, leading to session fixation. This can enable the attacker to manipulate the victim's perception and actions within the application, potentially leading to unauthorized data exposure or malicious activity conducted under the guise of the victim's interaction.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker first registers an account and authenticates to Leantime through their configured OIDC provider.\u003c/li\u003e\n\u003cli\u003eThe attacker then captures the session identifier or authorization code generated during their legitimate OIDC authentication flow.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL for the Leantime application's OIDC callback endpoint, embedding the captured attacker-controlled authorization code.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers this crafted malicious URL to a target victim, typically via social engineering methods such as a phishing email or message.\u003c/li\u003e\n\u003cli\u003eThe victim is enticed to click the malicious link, which directs their browser to the vulnerable Leantime OIDC callback endpoint.\u003c/li\u003e\n\u003cli\u003eDue to the flaw in the \u003ccode\u003everifyState()\u003c/code\u003e method, Leantime processes the attacker's authorization code without validating the OIDC \u003ccode\u003estate\u003c/code\u003e parameter against the user's session.\u003c/li\u003e\n\u003cli\u003eThe Leantime application then logs the victim's browser session into the attacker's pre-established account, effectively performing session fixation.\u003c/li\u003e\n\u003cli\u003eThe victim, believing they are logged into their own account, may perform actions that are actually attributed to the attacker's account, potentially compromising data or application integrity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-59713 results in session fixation, where a victim is logged into an attacker's Leantime account without their explicit knowledge. While this does not directly grant the attacker access to the victim's \u003cem\u003epersonal\u003c/em\u003e Leantime account, it allows the attacker to trick the victim into performing actions within the application \u003cem\u003eas the attacker\u003c/em\u003e. This poses a significant risk to data integrity and user trust. For instance, a victim might inadvertently modify or delete project data, publish sensitive information, or interact with other users, all under the attacker's identity. This can lead to confusion, data corruption, and potentially reputational damage for organizations using Leantime, as well as enabling sophisticated social engineering attacks where the victim is coerced into performing actions that benefit the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-59713\u003c/strong\u003e on all Leantime instances immediately, as detailed by the vendor to address the \u003ccode\u003everifyState()\u003c/code\u003e vulnerability.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks of phishing and urge caution when clicking on suspicious links, especially those asking for login or appearing to redirect after authentication.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T21:23:52Z","date_published":"2026-07-06T21:23:52Z","id":"https://feed.craftedsignal.io/briefs/2026-07-leantime-oidc-csrf/","summary":"CVE-2026-59713 identifies a high-severity OIDC login Cross-Site Request Forgery (CSRF) vulnerability in Leantime's verifyState() method, allowing attackers to craft malicious callback URLs with attacker-controlled authorization codes to perform session fixation and log victims into an attacker's session.","title":"CVE-2026-59713: Leantime OIDC Login CSRF leading to Session Fixation","url":"https://feed.craftedsignal.io/briefs/2026-07-leantime-oidc-csrf/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-59712"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Leantime (\u003c= 3.4.4)"],"_cs_severities":["high"],"_cs_tags":["authorization-bypass","credential-disclosure","api-exploitation","web-vulnerability","cve"],"_cs_type":"advisory","_cs_vendors":["Leantime"],"content_html":"\u003cp\u003eCVE-2026-59712 describes a critical authorization bypass vulnerability in Leantime, an open-source project management system. The flaw exists within the \u003ccode\u003eUsers::getUser\u003c/code\u003e method of its JSON-RPC API, where proper authorization checks are missing. This allows any authenticated user, regardless of their privilege level, to retrieve full user credential rows for any other user by simply providing arbitrary user IDs in the API call. This vulnerability was published to NVD on July 6, 2026, and impacts Leantime versions up to and including 3.4.4. Attackers can leverage this to enumerate all accounts on a compromised system, obtain sensitive data like password hashes, Time-based One-Time Password (TOTP) secrets, and session tokens, ultimately enabling sophisticated attacks such as offline password cracking, two-factor authentication bypass, and session hijacking. The exploitation of this vulnerability could lead to widespread unauthorized access and data exfiltration within an organization using Leantime.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains initial access to the Leantime application through a low-privileged authenticated user account.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Leantime application using the compromised or created low-privileged credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the JSON-RPC API endpoint for user management.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts malicious JSON-RPC requests targeting the \u003ccode\u003eusers.getUser\u003c/code\u003e method, specifying arbitrary \u003ccode\u003euser_id\u003c/code\u003e values.\u003c/li\u003e\n\u003cli\u003eDue to the authorization bypass (CVE-2026-59712), the API responds with full user credential rows, including password hashes, TOTP secrets, and session tokens, for the requested user IDs.\u003c/li\u003e\n\u003cli\u003eThe attacker iteratively sends requests with different \u003ccode\u003euser_id\u003c/code\u003e values to enumerate and collect sensitive information for multiple or all users within the Leantime instance.\u003c/li\u003e\n\u003cli\u003eThe collected password hashes are then subjected to offline password cracking attempts to recover plaintext passwords.\u003c/li\u003e\n\u003cli\u003eRecovered passwords, TOTP secrets, and session tokens enable the attacker to bypass multi-factor authentication, hijack active user sessions, and gain unauthorized access to other user accounts, potentially escalating privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-59712 leads to complete compromise of user accounts within the affected Leantime instance. Attackers can gain unauthorized access to all projects, tasks, and sensitive data managed within the application, including those belonging to high-privileged users like administrators. The disclosure of password hashes, TOTP secrets, and session tokens provides avenues for persistent access, privilege escalation, and bypass of standard security controls such as two-factor authentication. This can result in significant data exfiltration, intellectual property theft, and broader organizational compromise if Leantime manages critical business processes or sensitive information. The specific number of victims will vary per affected organization, but all user accounts within a vulnerable instance are at risk of compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-59712 immediately\u003c/strong\u003e by updating Leantime to a patched version beyond 3.4.4. Refer to the official Leantime GitHub repository for security updates and recommended mitigation steps.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor webserver logs\u003c/strong\u003e for unusual HTTP POST requests to Leantime's JSON-RPC API endpoints, especially those targeting the \u003ccode\u003eusers.getUser\u003c/code\u003e method with multiple or iterative \u003ccode\u003euser_id\u003c/code\u003e parameters from a single source IP or authenticated session.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement network segmentation\u003c/strong\u003e to restrict access to the Leantime application from untrusted networks and ensure the JSON-RPC API is not directly exposed to the internet if not strictly necessary.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRotate all user credentials and sessions\u003c/strong\u003e for your Leantime instance after applying the patch, as existing credentials and session tokens might have been compromised.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T21:22:44Z","date_published":"2026-07-06T21:22:44Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59712-leantime-auth-bypass/","summary":"An authenticated user can exploit CVE-2026-59712, an authorization bypass vulnerability in Leantime's JSON-RPC API `Users::getUser` method, to retrieve sensitive user credential information including password hashes, TOTP secrets, and session tokens for any user, leading to account enumeration, offline password cracking, 2FA bypass, and session hijacking.","title":"CVE-2026-59712: Leantime JSON-RPC API Authorization Bypass Leads to Credential Disclosure","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-59712-leantime-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Leantime","version":"https://jsonfeed.org/version/1.1"}