PatchSiren cyber security CVE debrief
CVE-2026-15509 Leantime CVE debrief
A vulnerability was found in Leantime up to 3.8.0, affecting the JSON-RPC Endpoint's editUser/addUser function. The manipulation of the role argument leads to improper authorization. This issue can be exploited remotely. The exploit has been publicly disclosed, and the vendor has not responded. The CVSS score is 2.1, indicating a low severity. Administrators and users of Leantime up to version 3.8.0 should be aware of this vulnerability and take necessary precautions. The vulnerability class is improper authorization, and the likely operational impact is low. The source confidence is limited.
- Vendor
- Leantime
- Product
- Leantime
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-12
- Original CVE updated
- 2026-07-12
- Advisory published
- 2026-07-12
- Advisory updated
- 2026-07-12
Who should care
Administrators and users of Leantime up to version 3.8.0 should be aware of this vulnerability and take necessary precautions. The vulnerability affects the JSON-RPC Endpoint's editUser/addUser function, and the manipulation of the role argument leads to improper authorization. This issue can be exploited remotely. The exploit has been publicly disclosed, and the vendor has not responded.
Technical summary
The vulnerability is caused by improper authorization in the editUser/addUser function of the JSON-RPC Endpoint in Leantime up to 3.8.0. The CVSS score is 2.1, indicating a low severity. The affected product context is Leantime up to version 3.8.0. The defensive impact is low, and the source-grounded technical framing is based on the CVE record and NVD entry. To verify, defenders should review the official advisory and CVE record for affected scope, severity, and vendor guidance, and consider compensating controls for exposed systems while remediation is scheduled and verified.
Defensive priority
Low priority, as the CVSS score is 2.1.
Recommended defensive actions
- Inventory and verify Leantime installations up to version 3.8.0
- Apply vendor patches or updates when available
- Monitor for suspicious activity on the JSON-RPC Endpoint
- Consider compensating controls, such as access restrictions
- Review the official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-12T23:16:37.817Z and has not been modified since then. The NVD entry is currently in the 'Received' status. The vulnerability affects Leantime up to version 3.8.0, and the editUser/addUser function of the JSON-RPC Endpoint is impacted. The manipulation of the role argument leads to improper authorization. This issue can be exploited remotely. The exploit has been publicly disclosed, and the vendor has not responded. To verify, defenders should review the official advisory and CVE record for affected scope, severity, and vendor guidance.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-12T23:16:37.817Z and has not been modified since then.