CVE-2026-59713 in Leantimeinfo

Summary

by MITRE • 07/07/2026

Leantime contains an OIDC login CSRF vulnerability in the verifyState() method that unconditionally returns true without validating state parameters. Attackers can craft malicious callback URLs with attacker-controlled authorization codes to perform session fixation, logging victims in as the attacker.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/07/2026

The vulnerability exists within the Leantime open source project's OpenID Connect authentication implementation where the verifyState() method fails to properly validate state parameters during the OAuth 2.0 authorization flow. This critical flaw stems from the method unconditionally returning true regardless of whether the state parameter matches the expected value, effectively bypassing a fundamental security mechanism designed to prevent cross-site request forgery attacks. The state parameter serves as a cryptographic token that ensures the authentication request originated from the legitimate application and not from a malicious third party.

This vulnerability creates a dangerous condition where attackers can manipulate the OAuth 2.0 authorization flow by crafting malicious callback URLs containing attacker-controlled authorization codes. The absence of proper state validation allows attackers to hijack user sessions through session fixation techniques, enabling them to impersonate legitimate users within the system. The attack exploits the trust relationship between the identity provider and the application, leveraging the lack of cryptographic verification to establish unauthorized access.

The operational impact of this vulnerability extends beyond simple privilege escalation as it enables comprehensive session takeover capabilities that can lead to full system compromise. An attacker who successfully exploits this vulnerability gains the ability to perform actions with the privileges of any user whose session they can hijack, potentially including administrative functions, data modification, and unauthorized access to sensitive information. The vulnerability affects all users who authenticate through OpenID Connect, making it particularly dangerous in environments where multiple users interact with the system.

The technical flaw aligns with CWE-352 Cross-Site Request Forgery and follows patterns identified in ATT&CK technique T1566.002 Phishing via Service Provider. This vulnerability represents a critical failure in the OAuth 2.0 implementation where state parameter validation is completely bypassed, violating the fundamental security principle that all authentication flows must verify the integrity of the authorization context. The flaw exists at the application layer and requires no special privileges to exploit, making it particularly dangerous.

Mitigation strategies should focus on implementing proper state parameter validation within the verifyState() method, ensuring that the returned state value matches the expected cryptographic token generated during the initial authentication request. Organizations should also implement additional security measures such as using secure random number generators for state tokens, implementing short expiration times for these tokens, and adding rate limiting to prevent abuse of the authentication flow. Regular security audits of authentication mechanisms and adherence to OAuth 2.0 security best practices are essential to prevent similar vulnerabilities from occurring in the future. The fix should also include logging and monitoring for suspicious authentication attempts that may indicate exploitation attempts against the vulnerable system.

Responsible

VulnCheck

Reservation

07/06/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!