CVE-2026-34828
Received Received - Intake
Session Management Flaw in listmonk Allows Persistent Account Access

Publication date: 2026-04-02

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, a session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the account even after the victim changes or resets their password. This weakens account recovery and session security guarantees. This issue has been patched in version 6.1.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-14
NVD
CVE-2026-34828
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nadh listmonk From 4.1.0 (inc) to 6.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability weakens account recovery and session security guarantees by allowing previously issued authenticated sessions to remain valid after password resets or changes. As a result, an attacker who has obtained a valid session cookie can maintain unauthorized access even after the victim updates their password.

Such a weakness can impact compliance with common standards and regulations like GDPR and HIPAA, which require robust access controls and protection of personal and sensitive data. Failure to invalidate sessions after credential changes may lead to unauthorized data access, increasing the risk of data breaches and non-compliance with these regulations' security requirements.

Mitigation Strategies

The primary mitigation is to upgrade listmonk to version 6.1.0 or later, where this vulnerability has been patched.

The patch ensures that all existing user sessions are invalidated upon password reset or change, preventing reuse of old session cookies.

If immediate upgrade is not possible, consider manually invalidating all active sessions for users after password changes by deleting session records from the session store or database.

  • Implement a process to delete all sessions associated with a user upon password reset or change.
  • Enforce users to log out and log back in after password changes.
  • Monitor for suspicious session reuse and revoke sessions as needed.
Executive Summary

CVE-2026-34828 is a session management vulnerability in the listmonk application versions from 4.1.0 up to but not including 6.1.0. The issue allows previously issued authenticated sessions to remain valid even after a user changes or resets their password.

This means that if an attacker has already obtained a valid session cookie, they can continue to access the victim's account despite password updates. The vulnerability occurs because the application updates the password but fails to revoke or invalidate existing active sessions issued before the change.

  • Password reset flow: After resetting the password, the old password is invalidated but the pre-reset session cookie remains valid.
  • Authenticated password change flow: When a user changes their password in one session, other sessions issued before the change remain valid.

This weakens account recovery and session security guarantees, allowing attackers to maintain unauthorized access even after password changes or resets.

Impact Analysis

This vulnerability can have serious security impacts if an attacker obtains a valid session cookie through means such as malware, cross-site scripting (XSS), shared machines, or proxy leakage.

Because existing sessions are not invalidated after password changes or resets, the attacker can maintain unauthorized access to the victim's account despite the victim's attempts to recover or secure their account.

This undermines the effectiveness of password resets and changes as security measures, potentially leading to data exposure or unauthorized actions within the affected account.

Detection Guidance

This vulnerability allows previously issued authenticated session cookies to remain valid after a password reset or change. Detection involves monitoring for active sessions that persist despite password updates.

To detect this on your system, you can check for multiple active sessions for the same user, especially sessions that were created before a password reset or change.

Suggested commands or approaches include:

  • Inspect session storage (e.g., database table 'sessions') for multiple active sessions per user.
  • Query sessions with SQL similar to: SELECT * FROM sessions WHERE data->>'user_id' = '<user_id>'; to identify all sessions for a user.
  • Check application logs for password reset or change events and correlate with session creation timestamps.
  • Monitor network traffic for reuse of old session cookies after password changes, for example by capturing HTTP requests with tools like tcpdump or Wireshark and analyzing session cookies.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34828. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart