PatchSiren

Leantime CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH Leantime CVE published 2026-07-06

CVE-2026-59713

The CVE record for CVE-2026-59713 was published on 2026-07-06T21:16:58.930Z and has not been modified since then. The NVD entry is currently Deferred. Leantime contains an OIDC login CSRF vulnerability in the verifyState() method that unconditionally returns true without validating state parameters. Attackers can craft malicious callback URLs with attacker-controlled authorization codes to perform session [truncated]

HIGH Leantime CVE published 2026-07-06

CVE-2026-59712

CVE-2026-59712 is a high-severity vulnerability in Leantime's JSON-RPC API. The Users::getUser method lacks proper authorization checks, allowing authenticated users to retrieve full user credential rows, including password hashes, TOTP secrets, and session tokens. This can be exploited to enumerate all accounts and obtain credentials for offline password cracking, 2FA bypass, and session hijacking.