CVE-2026-62361 in listmonk
Summary
by MITRE • 07/16/2026
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to 6.2.0, listmonk’s GET /api/subscribers/export endpoint injects the user-controlled query parameter into QuerySubscribersForExport in internal/core/subscribers.go without calling validateQueryTables, unlike GET /api/subscribers, allowing an authenticated user with subscribers:sql_query and subscribers:get_all to read arbitrary database tables such as users and settings and execute data-modifying PostgreSQL CTEs. This issue is fixed in version 6.2.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability in listmonk versions prior to 6.2.0 represents a critical server-side request forgery and unauthorized data access flaw that undermines the application's database security model. The issue stems from inconsistent input validation between two similar API endpoints within the same application, specifically the GET /api/subscribers/export endpoint which fails to properly validate user-supplied query parameters before executing them against the PostgreSQL backend. This discrepancy creates a privilege escalation vector where authenticated users with specific permissions can bypass normal access controls and execute arbitrary database queries.
The technical flaw occurs in the internal/core/subscribers.go file where the QuerySubscribersForExport function directly incorporates user-controlled input from the query parameter without first invoking the validateQueryTables validation routine that is properly implemented in the GET /api/subscribers endpoint. This design inconsistency allows malicious actors to construct SQL queries that can traverse the database schema beyond the intended subscriber data scope. The vulnerability specifically affects users who possess both subscribers:sql_query and subscribers:get_all permissions, enabling them to access sensitive tables including users and settings that contain authentication credentials, configuration data, and other privileged information.
From an operational perspective, this vulnerability creates a significant risk of data exposure and potential system compromise. An attacker with the specified permissions can not only read arbitrary database tables but also execute data-modifying PostgreSQL Common Table Expressions which could lead to data corruption, deletion, or unauthorized modifications. The impact extends beyond simple information disclosure as it provides access to authentication credentials stored in the users table, potentially enabling further lateral movement within the system. This vulnerability aligns with CWE-89 SQL Injection and CWE-284 Improper Access Control patterns while also mapping to ATT&CK technique T1078 Valid Accounts for privilege escalation and T1566 Phishing for credential access.
The mitigation strategy requires immediate deployment of listmonk version 6.2.0 which implements proper input validation and consistent parameter handling across all subscriber-related endpoints. Organizations should also implement principle of least privilege by carefully reviewing and restricting the subscribers:sql_query and subscribers:get_all permissions to only those users who absolutely require such elevated access. Additional defensive measures include implementing database query auditing, monitoring for unusual SQL patterns in the application logs, and conducting regular security assessments of API endpoints to identify similar validation inconsistencies. The fix addresses the root cause by ensuring that all user-supplied query parameters are properly validated against allowed table names before execution, thereby preventing unauthorized schema traversal and maintaining proper data access controls.