Back to KEVs

CVE-2026-34828

listmonk: Active sessions remain valid after password reset and password change

Basic Information

CVE State
PUBLISHED
Reserved Date
March 30, 2026
Published Date
April 02, 2026
Last Updated
April 03, 2026
Vendor
knadh
Product
listmonk
Description
listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, a session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the account even after the victim changes or resets their password. This weakens account recovery and session security guarantees. This issue has been patched in version 6.1.0.

CVSS Scores

CVSS v3.1

7.1 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

SSVC Information

Exploitation
poc
Technical Impact
partial

Exploit Status

Exploited in the Wild
Yes (2026-04-02 09:00:05 UTC) Source

References

https://github.com/knadh/listmonk/security/advisories/GHSA-h5j9-cvrw-v5qh https://github.com/knadh/listmonk/commit/db82035d619348949512dafdaf60c86037cafc9e https://github.com/knadh/listmonk/releases/tag/v6.1.0

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2026-04-02 09:00:05 UTC

Timeline

  • CVE ID Reserved

  • Added to KEVIntel

  • CVE Published to Public