CVE-2026-34584
Received Received - Intake
Permission Bypass in listmonk Allows Unauthorized List Access

Publication date: 2026-04-02

Last updated on: 2026-04-10

Assigner: GitHub, Inc.

Description
listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, bugs in list permission checks allows users in a multi-user environment to access to lists (which they don't have access to) under different scenarios. This only affects multi-user environments with untrusted users. This issue has been patched in version 6.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34584
EUVD
EUVD-2026-18450
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nadh listmonk From 4.1.0 (inc) to 6.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34584 is a moderate severity vulnerability in the listmonk application affecting versions from 4.1.0 up to but not including 6.1.0. It involves bugs in list permission checks within multi-user environments that allow users to bypass authorization controls.

Due to improper permission validation, users with some privileges can access and manipulate mailing lists they are not authorized to use. This includes actions such as sending test emails, importing subscribers, performing bulk subscriber management, and exporting subscriber data from unauthorized lists.

The root cause is an authorization bypass through user-controlled keys, where the system fails to properly restrict access to data based on user permissions.

This vulnerability has been fixed in version 6.1.0 by adding comprehensive permission checks across multiple handlers and endpoints.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users in a multi-user environment to access and manipulate mailing lists and subscriber data they should not have access to.

  • Sending test emails to subscribers of unauthorized lists.
  • Importing subscribers into unauthorized lists from CSV files.
  • Performing bulk management actions such as modifying, reassigning, or blocklisting subscribers in unauthorized lists.
  • Exporting subscriber information in JSON format from unauthorized lists.

These unauthorized actions can lead to data leakage, unauthorized data modification, and potential misuse of mailing lists, which could harm your organization's data integrity and privacy.

Compliance Impact

The vulnerability in listmonk allows unauthorized users in multi-user environments to access and manipulate subscriber lists they should not have permission for. This unauthorized access includes viewing subscriber information, sending test emails, importing subscribers, performing bulk management actions, and exporting subscriber data.

Such unauthorized access and manipulation of subscriber data can lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict controls over personal data access and processing. The exposure or misuse of subscriber information due to improper permission checks could result in non-compliance with these standards.

The issue has been addressed in version 6.1.0 by implementing comprehensive permission checks and enhancing privacy controls, which helps restore compliance with these regulations by preventing unauthorized data access and improving user privacy settings.

Detection Guidance

CVE-2026-34584 is a permission bypass vulnerability in listmonk versions from 4.1.0 up to before 6.1.0, affecting multi-user environments with untrusted users. Detection involves verifying whether unauthorized users can access or manipulate subscriber lists they should not have permission for.

Since the vulnerability stems from improper permission checks in API endpoints related to list and subscriber management, detection can be performed by attempting to access or perform actions on lists without proper authorization.

Suggested commands or steps to detect the vulnerability include:

  • Attempt to send test emails to subscribers of lists the user should not have access to via the API or UI.
  • Try importing subscribers from CSV files into unauthorized lists and observe if the operation is allowed.
  • Perform bulk management actions (modify, reassign, blocklist) on subscribers in unauthorized lists through the UI or API.
  • Attempt to export subscriber information in JSON format from lists without proper permissions.

If any of these actions succeed without proper authorization, the system is vulnerable.

No specific command-line tools or commands are provided in the resources, but manual testing of the above scenarios via the listmonk API endpoints or UI with different user privilege levels can help detect the vulnerability.

Mitigation Strategies

To mitigate CVE-2026-34584, you should upgrade listmonk to version 6.1.0 or later, as this version includes important security fixes addressing multiple list permission validation issues in multi-user environments.

  • Backup your Postgres database before upgrading.
  • Stop the current listmonk binary or Docker containers.
  • Perform the upgrade to version 6.1.0 or later.
  • Restart the application after the upgrade.

These steps ensure that the patched permission checks are applied, preventing unauthorized users from accessing or manipulating lists they do not have permission for.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34584. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart