CVE-2026-59712
Leantime · Leantime
The JSON-RPC API in Leantime contains an authorization bypass that allows authenticated users to retrieve sensitive credential information from other accounts.
Executive summary
A critical authorization bypass in the Leantime JSON-RPC API allows authenticated users to exfiltrate password hashes, TOTP secrets, and session tokens.
Vulnerability
The Users::getUser method lacks necessary authorization checks (CWE-639), enabling an authenticated user to perform unauthorized lookups of sensitive user credential rows. This allows an attacker with standard user privileges to gain access to highly sensitive security data of other users.
Business impact
This vulnerability carries a CVSS score of 8.1, reflecting the significant risk of full account takeover. Unauthorized access to password hashes, multi-factor authentication secrets, and session tokens effectively invalidates the security posture of the entire platform, potentially leading to widespread compromise of user accounts and administrative access.
Remediation
Immediate Action: Update to the patched version of Leantime provided by the vendor.
Proactive Monitoring: Review audit logs for anomalous or high-frequency calls to the Users::getUser JSON-RPC method, particularly those requesting data for multiple distinct user IDs.
Compensating Controls: Restrict API access to trusted network segments and ensure robust logging is enabled for all JSON-RPC interface interactions.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the exposure of sensitive authentication material, this vulnerability must be treated as a critical security priority. Organizations should apply the vendor-supplied security update immediately to prevent credential harvesting and potential lateral movement across the platform.