Improper Authorization in Leantime Project Management System
CVE-2026-15510
Key Information:
Badges
What is CVE-2026-15510?
A vulnerability exists in the Leantime Project Management System versions up to 3.8.0, where the 'Setting::saveSetting' function in the API does not properly enforce authorization checks. This flaw allows remote attackers to exploit the vulnerability, potentially manipulating critical configurations without proper permissions. Despite contact with the vendor prior to the vulnerability being disclosed publicly, no response has been received. Given the nature of this issue, it is crucial for users to review their implementations and apply necessary security measures to safeguard their systems.
Affected Version(s)
Leantime 3.0
Leantime 3.1
Leantime 3.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
