PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-39912 V2Board CVE debrief

CVE-2026-39912 is a critical vulnerability in V2Board and Xboard that exposes authentication tokens in HTTP response bodies when the login_with_mail_link_enable feature is active. This AI-assisted PatchSiren debrief is based on the supplied source corpus. The CVE record was published on 2026-04-09T19:16:25.920Z and has not been modified since then. Affected product deployments should be confirmed in managed environments, and owners should be assigned for follow-up. The vulnerability allows unauthenticated attackers to obtain valid bearer tokens with complete account access, including admin privileges, by exploiting the loginWithMailLink endpoint.

Vendor
V2Board
Product
V2Board
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-09
Original CVE updated
2026-07-14
Advisory published
2026-04-09
Advisory updated
2026-07-14

Who should care

Administrators and users of V2Board and Xboard should be aware of this vulnerability, as it allows unauthenticated attackers to obtain valid bearer tokens with complete account access, including admin privileges.

Technical summary

V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges.

Defensive priority

High priority should be given to patching or mitigating this vulnerability, as it allows for unauthorized account access and potential privilege escalation.

Recommended defensive actions

  • Patch or update V2Board and Xboard to a version that fixes this vulnerability
  • Disable the login_with_mail_link_enable feature if not required
  • Monitor for suspicious activity on the loginWithMailLink and token2Login endpoints
  • Implement additional security measures, such as IP restrictions or two-factor authentication
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record and NVD entry provide details on the vulnerability, but further information is limited. Verification of the affected products and versions is necessary to ensure accurate patching. The login_with_mail_link_enable feature must be disabled if not required. Evidence limits suggest that defenders should verify affected scope, severity, and vendor guidance. Additional source grounding and evidence are needed to ensure accurate patching and mitigation.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-09T19:16:25.920Z and has not been modified since then.