Back to overview

CVE-2026-59713

HIGH
8.1
CVSS 3.1
Description
Leantime contains an OIDC login CSRF vulnerability in the verifyState() method that unconditionally returns true without validating state parameters. Attackers can craft malicious callback URLs with attacker-controlled authorization codes to perform session fixation, logging victims in as the attacker.

Metadata

CVE ID
CVE-2026-59713
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-06 15:31 UTC
Published
2026-07-06 20:36 UTC
Last updated
2026-07-06 20:36 UTC
Primary CWE
CWE-352
Cross-Site Request Forgery (CSRF)
Vendor / Product
Leantime / Leantime
Sources
cve.org  ·  NVD

Severity & Metrics

8.1 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Affected products (1)
VendorProductPlatformVersions
Leantime Leantime 0 ≤ 3.4.4
Weakness (CWE)
CWESourceDescription
CWE-352 cna Cross-Site Request Forgery (CSRF)
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.6 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
8.1 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Back to overview