CVE-2026-39912

CRITICAL

v2board / Xboard Authentication Token Exposure via loginWithMailLink

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-39912. PoCs published by Chocapikk.

AI-analyzed exploit summary The repository contains a functional exploit for CVE-2026-39912, which leverages a magic link token leak in the `loginWithMailLink` endpoint of Xboard/V2Board to achieve unauthenticated account takeover. The exploit demonstrates the vulnerability by requesting a magic link for a target email and using the leaked token to authenticate and dump user data.

Description

V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges.

Exploits (1)

nomisec WORKING POC

by Chocapikk · poc

https://github.com/Chocapikk/CVE-2026-39912

View Code ZIP pw:eip

The repository contains a functional exploit for CVE-2026-39912, which leverages a magic link token leak in the `loginWithMailLink` endpoint of Xboard/V2Board to achieve unauthenticated account takeover. The exploit demonstrates the vulnerability by requesting a magic link for a target email and using the leaked token to authenticate and dump user data.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: V2Board >= 1.6.1 through 1.7.4, Xboard all versions through 0.1.9+

No auth needed

Prerequisites: login_with_mail_link_enable must be enabled in admin settings · a valid registered email address

MITRE ATT&CK