CVE-2026-34828
Session Management Flaw in listmonk Allows Persistent Account Access
Publication date: 2026-04-02
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nadh | listmonk | From 4.1.0 (inc) to 6.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability weakens account recovery and session security guarantees by allowing previously issued authenticated sessions to remain valid after password resets or changes. As a result, an attacker who has obtained a valid session cookie can maintain unauthorized access even after the victim updates their password.
Such a weakness can impact compliance with common standards and regulations like GDPR and HIPAA, which require robust access controls and protection of personal and sensitive data. Failure to invalidate sessions after credential changes may lead to unauthorized data access, increasing the risk of data breaches and non-compliance with these regulations' security requirements.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade listmonk to version 6.1.0 or later, where this vulnerability has been patched.
The patch ensures that all existing user sessions are invalidated upon password reset or change, preventing reuse of old session cookies.
If immediate upgrade is not possible, consider manually invalidating all active sessions for users after password changes by deleting session records from the session store or database.
- Implement a process to delete all sessions associated with a user upon password reset or change.
- Enforce users to log out and log back in after password changes.
- Monitor for suspicious session reuse and revoke sessions as needed.
Can you explain this vulnerability to me?
CVE-2026-34828 is a session management vulnerability in the listmonk application versions from 4.1.0 up to but not including 6.1.0. The issue allows previously issued authenticated sessions to remain valid even after a user changes or resets their password.
This means that if an attacker has already obtained a valid session cookie, they can continue to access the victim's account despite password updates. The vulnerability occurs because the application updates the password but fails to revoke or invalidate existing active sessions issued before the change.
- Password reset flow: After resetting the password, the old password is invalidated but the pre-reset session cookie remains valid.
- Authenticated password change flow: When a user changes their password in one session, other sessions issued before the change remain valid.
This weakens account recovery and session security guarantees, allowing attackers to maintain unauthorized access even after password changes or resets.
How can this vulnerability impact me? :
This vulnerability can have serious security impacts if an attacker obtains a valid session cookie through means such as malware, cross-site scripting (XSS), shared machines, or proxy leakage.
Because existing sessions are not invalidated after password changes or resets, the attacker can maintain unauthorized access to the victim's account despite the victim's attempts to recover or secure their account.
This undermines the effectiveness of password resets and changes as security measures, potentially leading to data exposure or unauthorized actions within the affected account.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows previously issued authenticated session cookies to remain valid after a password reset or change. Detection involves monitoring for active sessions that persist despite password updates.
To detect this on your system, you can check for multiple active sessions for the same user, especially sessions that were created before a password reset or change.
Suggested commands or approaches include:
- Inspect session storage (e.g., database table 'sessions') for multiple active sessions per user.
- Query sessions with SQL similar to: SELECT * FROM sessions WHERE data->>'user_id' = '<user_id>'; to identify all sessions for a user.
- Check application logs for password reset or change events and correlate with session creation timestamps.
- Monitor network traffic for reuse of old session cookies after password changes, for example by capturing HTTP requests with tools like tcpdump or Wireshark and analyzing session cookies.