CVE-2026-59712
Received Received - Intake

Leak of User Credentials via JSON-RPC in Leantime

Vulnerability report for CVE-2026-59712, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: VulnCheck

Description

Leantime's Users::getUser method in the JSON-RPC API lacks proper authorization checks, allowing authenticated users to retrieve full user credential rows including password hashes, TOTP secrets, and session tokens. Attackers can exploit this by calling users.getUser with arbitrary user IDs to enumerate all accounts and obtain credentials for offline password cracking, 2FA bypass, and session hijacking.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in Leantime's Users::getUser method within the JSON-RPC API, where it lacks proper authorization checks.

This flaw allows authenticated users to retrieve full user credential information, including password hashes, TOTP (Time-based One-Time Password) secrets, and session tokens.

Attackers can exploit this by calling the users.getUser method with arbitrary user IDs to enumerate all accounts and obtain sensitive credentials.

Impact Analysis

This vulnerability can have serious impacts including:

  • Attackers can perform offline password cracking using the obtained password hashes.
  • They can bypass two-factor authentication (2FA) by accessing TOTP secrets.
  • Session hijacking is possible by stealing session tokens.
  • Overall, it enables attackers to compromise user accounts and potentially gain unauthorized access to the system.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59712. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart