CVE-2026-59713
Leantime · Leantime
Leantime contains an OIDC login CSRF vulnerability in the verifyState() method that fails to properly validate state parameters.
Executive summary
A high-severity Cross-Site Request Forgery (CSRF) vulnerability in Leantime’s OIDC authentication mechanism could allow an attacker to hijack user sessions.
Vulnerability
The vulnerability exists in the verifyState() method, which performs unconditional state verification. This allows an unauthenticated attacker to bypass OIDC security controls via a crafted CSRF attack.
Business impact
The CVSS score of 8.1 highlights a critical risk to user account security. A successful exploit could lead to full account takeover, unauthorized access to sensitive project management data, and potential lateral movement within the application, severely impacting organizational data confidentiality.
Remediation
Immediate Action: Upgrade to the latest version of Leantime provided by the vendor to ensure the OIDC state verification logic is correctly implemented.
Proactive Monitoring: Review authentication logs for suspicious OIDC callback patterns or spikes in login attempts originating from unknown sources.
Compensating Controls: Utilize a Web Application Firewall (WAF) to detect and block suspicious cross-site requests that lack valid state tokens.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Organizations using Leantime with OIDC enabled must treat this as a high-priority update. Failure to patch allows for trivial bypass of authentication mechanisms, putting all user accounts at risk of compromise.