PatchSiren cyber security CVE debrief
CVE-2026-59712 Leantime CVE debrief
CVE-2026-59712 is a high-severity vulnerability in Leantime's JSON-RPC API. The Users::getUser method lacks proper authorization checks, allowing authenticated users to retrieve full user credential rows, including password hashes, TOTP secrets, and session tokens. This can be exploited to enumerate all accounts and obtain credentials for offline password cracking, 2FA bypass, and session hijacking.
- Vendor
- Leantime
- Product
- Unknown
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-07
Who should care
Administrators and users of Leantime's JSON-RPC API should be aware of this vulnerability and take immediate action to mitigate the risk. Authenticated users with access to the API may be able to exploit this vulnerability.
Technical summary
The Users::getUser method in Leantime's JSON-RPC API does not perform proper authorization checks, allowing authenticated users to retrieve sensitive user credential information. This includes password hashes, TOTP secrets, and session tokens. An attacker can exploit this by calling users.getUser with arbitrary user IDs to enumerate all accounts and obtain credentials for offline password cracking, 2FA bypass, and session hijacking.
Defensive priority
High priority should be given to mitigating this vulnerability, as it allows authenticated users to access sensitive information. Immediate action should be taken to restrict access to the affected API method and implement additional security measures to prevent exploitation.
Recommended defensive actions
- Restrict access to the affected API method to only authorized users
- Implement additional security measures, such as IP whitelisting or rate limiting
- Monitor API activity for suspicious requests
- Consider implementing a Web Application Firewall (WAF) to detect and prevent attacks
- Update Leantime to the latest version, if available
Evidence notes
The CVE record was published on 2026-07-06T21:16:58.793Z and was last modified on 2026-07-07T14:16:34.150Z. The NVD entry is currently Deferred. The vulnerability has a CVSS score of 8.6 and is classified as HIGH severity.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T21:16:58.793Z and has not been modified since then. The NVD entry is currently Deferred.