Executive Summary

CVE-2026-39912 is a critical security vulnerability affecting V2Board (versions 1.6.1 through 1.7.4) and Xboard (all versions through 0.1.9). Both are open-source VPN/proxy management panels. The vulnerability lies in the "loginWithMailLink" feature, which is intended to authenticate users via a magic login link sent to their email.

The flaw is that when this feature is enabled, the server mistakenly returns the magic login link containing a secret authentication token directly in the HTTP response body after a login request, instead of only sending it via email. This exposes the token to anyone who can submit a POST request with a known email address to the vulnerable endpoint.

An unauthenticated attacker can exploit this by submitting a victim's email to the loginWithMailLink endpoint, receiving the magic login link with the secret token in the response, and then using that token at the token2Login endpoint to obtain a fully authenticated session. This includes full account access with admin privileges.

The root cause is the exposure of sensitive authentication tokens in API responses, bypassing the intended email verification factor. The vulnerability was introduced in June 2022 and remained unnoticed for nearly four years.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an unauthenticated attacker to take over any user account simply by knowing the victim's email address. The attacker can obtain a valid bearer token with full account access, including admin privileges.

• Complete account takeover without needing passwords or email access.
• Access to sensitive user data such as email, UUID, balance, subscriptions, payment history, support tickets, and active sessions.
• Control over VPN subscription tokens and server configurations.
• Potential to upload malicious themes containing webshells via the admin API, leading to remote code execution (RCE) if the attacker can also discover the secret admin path.

Overall, the vulnerability leads to full infrastructure compromise of affected VPN/proxy management panels, enabling attackers to manipulate user accounts, extract sensitive data, and potentially execute arbitrary code.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the behavior of the loginWithMailLink endpoint. Specifically, an unauthenticated POST request can be sent to the loginWithMailLink endpoint with a known email address. If the HTTP response body contains the magic login link (which includes a secret token), the system is vulnerable.

A simple detection method is to send a POST request to the vulnerable endpoint with a victim's email and observe if the response contains the magic login link token instead of a generic success message.

Example command using curl to test the endpoint (replace URL and email accordingly):

• curl -X POST https://your-v2board-or-xboard-instance/api/v1/passport/auth/loginWithMailLink -d '{"email":"[email protected]"}' -H 'Content-Type: application/json'

If the response contains a URL with a token (e.g., a magic login link), the vulnerability is present.

Additionally, you can check for the presence of the feature flag `login_with_mail_link_enable` being active, as the vulnerability only manifests when this feature is enabled.

Network scanning tools like Shodan or ZoomEye have been used to identify vulnerable instances globally by searching for exposed endpoints matching this pattern.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to disable the `login_with_mail_link_enable` feature if it is currently enabled, as this feature is required for the vulnerability to be exploitable.

If disabling the feature is not possible, apply the patch that removes the magic login link from the HTTP response body. Instead of returning the magic link in the API response, the endpoint should return a generic success indicator (boolean true) after sending the magic link via email.

This fix ensures that the magic login link token is only delivered through the user's email, preserving the intended authentication flow and preventing unauthorized access.

Check for and apply the official patches merged in the v2board and Xboard repositories that address this issue by modifying the `loginWithMailLink` endpoint behavior.

Additionally, review your `.env` configuration to ensure no default or hardcoded `APP_KEY` values are used, as predictable keys can increase exposure risk.

Monitor your systems for suspicious POST requests to the loginWithMailLink endpoint and unauthorized token exchanges at the token2Login endpoint.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-39912 exposes authentication tokens in HTTP response bodies, allowing unauthenticated attackers to take over user accounts, including admin accounts, without credentials. This leads to unauthorized access to sensitive user data such as email addresses, subscription tokens, payment history, and server configurations.

Such unauthorized access and data exposure can violate common data protection standards and regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information to prevent unauthorized disclosure and ensure data confidentiality and integrity.

Specifically, the vulnerability undermines the authentication mechanism by leaking secret tokens, thereby bypassing intended security controls and potentially leading to breaches of user privacy and data security obligations mandated by these regulations.

Useful 0 Not Useful 0