Leantime contains an OIDC login CSRF vulnerability in the verifyState() method that unconditionally returns true without validating state parameters. Attackers can craft malicious callback URLs with attacker-controlled authorization codes to perform session fixation, logging victims in as the attacker.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Mon, 06 Jul 2026 21:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Leantime contains an OIDC login CSRF vulnerability in the verifyState() method that unconditionally returns true without validating state parameters. Attackers can craft malicious callback URLs with attacker-controlled authorization codes to perform session fixation, logging victims in as the attacker. | |
| Title | Leantime - OIDC Login CSRF via Unconditional State Verification Stub | |
| First Time appeared |
Leantime
Leantime leantime |
|
| Weaknesses | CWE-352 | |
| CPEs | cpe:2.3:a:leantime:leantime:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Leantime
Leantime leantime |
|
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-06T20:36:24.795Z
Reserved: 2026-07-06T15:31:46.188Z
Link: CVE-2026-59713
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses