CVE-2026-59713

Leantime · Leantime

Leantime contains an OIDC login CSRF vulnerability in the verifyState() method that fails to properly validate state parameters.

Executive summary

A high-severity Cross-Site Request Forgery (CSRF) vulnerability in Leantime’s OIDC authentication mechanism could allow an attacker to hijack user sessions.

Vulnerability

The vulnerability exists in the verifyState() method, which performs unconditional state verification. This allows an unauthenticated attacker to bypass OIDC security controls via a crafted CSRF attack.

Business impact

The CVSS score of 8.1 highlights a critical risk to user account security. A successful exploit could lead to full account takeover, unauthorized access to sensitive project management data, and potential lateral movement within the application, severely impacting organizational data confidentiality.

Remediation

Immediate Action: Upgrade to the latest version of Leantime provided by the vendor to ensure the OIDC state verification logic is correctly implemented.

Proactive Monitoring: Review authentication logs for suspicious OIDC callback patterns or spikes in login attempts originating from unknown sources.

Compensating Controls: Utilize a Web Application Firewall (WAF) to detect and block suspicious cross-site requests that lack valid state tokens.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Organizations using Leantime with OIDC enabled must treat this as a high-priority update. Failure to patch allows for trivial bypass of authentication mechanisms, putting all user accounts at risk of compromise.