Stored credentials in Redmine
CVE-2026-1836

5.3MEDIUM

Key Information:

Vendor: Redmine
Status: Redmine
Vendor: CVE Published:; 12 June 2026

What is CVE-2026-1836?

The system stores the username and password from the login form after submitting the request. This could allow an attacker with access to the platform to return to the browser and view the login credentials.

Affected Version(s)

Redmine 0 < 6.0.7

Redmine 0 < 5.1.10

Redmine 0 < 5.0.14

References

https://www.incibe.es/en/incibe-cert/notices/aviso/stored...

patch

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
Feb 3, 2026

CVE-2026-1836 Data

JSON