Leantime's Users::getUser method in the JSON-RPC API lacks proper authorization checks, allowing authenticated users to retrieve full user credential rows including password hashes, TOTP secrets, and session tokens. Attackers can exploit this by calling users.getUser with arbitrary user IDs to enumerate all accounts and obtain credentials for offline password cracking, 2FA bypass, and session hijacking.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Mon, 06 Jul 2026 21:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Leantime's Users::getUser method in the JSON-RPC API lacks proper authorization checks, allowing authenticated users to retrieve full user credential rows including password hashes, TOTP secrets, and session tokens. Attackers can exploit this by calling users.getUser with arbitrary user IDs to enumerate all accounts and obtain credentials for offline password cracking, 2FA bypass, and session hijacking. | |
| Title | Leantime - Credential Disclosure via Unauthenticated JSON-RPC users.getUser Method | |
| First Time appeared |
Leantime
Leantime leantime |
|
| Weaknesses | CWE-639 | |
| CPEs | cpe:2.3:a:leantime:leantime:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Leantime
Leantime leantime |
|
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-06T20:43:50.296Z
Reserved: 2026-07-06T15:31:46.188Z
Link: CVE-2026-59712
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses