CVE-2026-34584
Permission Bypass in listmonk Allows Unauthorized List Access
Publication date: 2026-04-02
Last updated on: 2026-04-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nadh | listmonk | From 4.1.0 (inc) to 6.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in listmonk allows unauthorized users in multi-user environments to access and manipulate subscriber lists they should not have permission for. This unauthorized access includes viewing subscriber information, sending test emails, importing subscribers, performing bulk management actions, and exporting subscriber data.
Such unauthorized access and manipulation of subscriber data can lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict controls over personal data access and processing. The exposure or misuse of subscriber information due to improper permission checks could result in non-compliance with these standards.
The issue has been addressed in version 6.1.0 by implementing comprehensive permission checks and enhancing privacy controls, which helps restore compliance with these regulations by preventing unauthorized data access and improving user privacy settings.
Can you explain this vulnerability to me?
CVE-2026-34584 is a moderate severity vulnerability in the listmonk application affecting versions from 4.1.0 up to but not including 6.1.0. It involves bugs in list permission checks within multi-user environments that allow users to bypass authorization controls.
Due to improper permission validation, users with some privileges can access and manipulate mailing lists they are not authorized to use. This includes actions such as sending test emails, importing subscribers, performing bulk subscriber management, and exporting subscriber data from unauthorized lists.
The root cause is an authorization bypass through user-controlled keys, where the system fails to properly restrict access to data based on user permissions.
This vulnerability has been fixed in version 6.1.0 by adding comprehensive permission checks across multiple handlers and endpoints.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users in a multi-user environment to access and manipulate mailing lists and subscriber data they should not have access to.
- Sending test emails to subscribers of unauthorized lists.
- Importing subscribers into unauthorized lists from CSV files.
- Performing bulk management actions such as modifying, reassigning, or blocklisting subscribers in unauthorized lists.
- Exporting subscriber information in JSON format from unauthorized lists.
These unauthorized actions can lead to data leakage, unauthorized data modification, and potential misuse of mailing lists, which could harm your organization's data integrity and privacy.
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2026-34584, you should upgrade listmonk to version 6.1.0 or later, as this version includes important security fixes addressing multiple list permission validation issues in multi-user environments.
- Backup your Postgres database before upgrading.
- Stop the current listmonk binary or Docker containers.
- Perform the upgrade to version 6.1.0 or later.
- Restart the application after the upgrade.
These steps ensure that the patched permission checks are applied, preventing unauthorized users from accessing or manipulating lists they do not have permission for.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
CVE-2026-34584 is a permission bypass vulnerability in listmonk versions from 4.1.0 up to before 6.1.0, affecting multi-user environments with untrusted users. Detection involves verifying whether unauthorized users can access or manipulate subscriber lists they should not have permission for.
Since the vulnerability stems from improper permission checks in API endpoints related to list and subscriber management, detection can be performed by attempting to access or perform actions on lists without proper authorization.
Suggested commands or steps to detect the vulnerability include:
- Attempt to send test emails to subscribers of lists the user should not have access to via the API or UI.
- Try importing subscribers from CSV files into unauthorized lists and observe if the operation is allowed.
- Perform bulk management actions (modify, reassign, blocklist) on subscribers in unauthorized lists through the UI or API.
- Attempt to export subscriber information in JSON format from lists without proper permissions.
If any of these actions succeed without proper authorization, the system is vulnerable.
No specific command-line tools or commands are provided in the resources, but manual testing of the above scenarios via the listmonk API endpoints or UI with different user privilege levels can help detect the vulnerability.