CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-59712

highCVSS 8.1covered by 1 sourcefirst seen 2026-07-06
Leantime's Users::getUser method in the JSON-RPC API lacks proper authorization checks, allowing authenticated users to retrieve full user credential rows including password hashes, TOTP secrets, and session tokens. Attackers can exploit this by calling users.getUser with arbitrary user IDs to enumerate all accounts and obtain credentials for offline password cracking, 2FA bypass, and session hijacking.

⚡ Watch CVE-2026-59712

Get an email if CVE-2026-59712 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-59712

CVE.org record

Embed the live status

CVE-2026-59712 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-59712 status](https://www.csirts.com/badge/CVE-2026-59712)](https://www.csirts.com/cve/CVE-2026-59712)