CVE-2026-59713

HIGH

Leantime - OIDC Login CSRF via Unconditional State Verification Stub

Title source: cna
STIX 2.1

Description

Leantime contains an OIDC login CSRF vulnerability in the verifyState() method that unconditionally returns true without validating state parameters. Attackers can craft malicious callback URLs with attacker-controlled authorization codes to perform session fixation, logging victims in as the attacker.

Scores

CVSS v3 8.1
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Details

CWE
CWE-352
Status published
Products (1)
Leantime/Leantime < 3.4.4
Published Jul 06, 2026
Tracked Since Jul 07, 2026