OIDC Login CSRF Vulnerability in Leantime by Leantime
CVE-2026-59713

8.6HIGH

Key Information:

Vendor

Leantime

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-59713?

Leantime has a vulnerability in the OIDC login mechanism, specifically in the verifyState() method. This issue allows an attacker to craft malicious callback URLs that exploit the application's failure to validate state parameters, leading to potential session fixation attacks. By manipulating the authorization process, attackers can log victims into a session under their control, which poses a significant threat to user security. It is essential for users to update to the patched version as outlined in the references to mitigate this risk.

Affected Version(s)

Leantime 0 <= 3.4.4

References

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.