{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34584", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T16:56:30.999Z", "datePublished": "2026-04-02T17:31:37.615Z", "dateUpdated": "2026-04-02T19:09:02.060Z"}, "containers": {"cna": {"title": "listmonk: Broken Access Control in CSV Import (Unauthorized List Assignment)", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/knadh/listmonk/security/advisories/GHSA-85j8-5c6w-gcpv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/knadh/listmonk/security/advisories/GHSA-85j8-5c6w-gcpv"}, {"name": "https://github.com/knadh/listmonk/commit/347f5976759232c36e571cf58b4bfe33c2794f35", "tags": ["x_refsource_MISC"], "url": "https://github.com/knadh/listmonk/commit/347f5976759232c36e571cf58b4bfe33c2794f35"}, {"name": "https://github.com/knadh/listmonk/releases/tag/v6.1.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/knadh/listmonk/releases/tag/v6.1.0"}], "affected": [{"vendor": "knadh", "product": "listmonk", "versions": [{"version": ">= 4.1.0, < 6.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:31:37.615Z"}, "descriptions": [{"lang": "en", "value": "listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, bugs in list permission checks allows users in a multi-user environment to access to lists (which they don't have access to) under different scenarios. This only affects multi-user environments with untrusted users. This issue has been patched in version 6.1.0."}], "source": {"advisory": "GHSA-85j8-5c6w-gcpv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T19:08:49.596406Z", "id": "CVE-2026-34584", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T19:09:02.060Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34584", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T19:08:49.596406Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T19:08:57.370Z"}}], "cna": {"title": "listmonk: Broken Access Control in CSV Import (Unauthorized List Assignment)", "source": {"advisory": "GHSA-85j8-5c6w-gcpv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "knadh", "product": "listmonk", "versions": [{"status": "affected", "version": ">= 4.1.0, < 6.1.0"}]}], "references": [{"url": "https://github.com/knadh/listmonk/security/advisories/GHSA-85j8-5c6w-gcpv", "name": "https://github.com/knadh/listmonk/security/advisories/GHSA-85j8-5c6w-gcpv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/knadh/listmonk/commit/347f5976759232c36e571cf58b4bfe33c2794f35", "name": "https://github.com/knadh/listmonk/commit/347f5976759232c36e571cf58b4bfe33c2794f35", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/knadh/listmonk/releases/tag/v6.1.0", "name": "https://github.com/knadh/listmonk/releases/tag/v6.1.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, bugs in list permission checks allows users in a multi-user environment to access to lists (which they don't have access to) under different scenarios. This only affects multi-user environments with untrusted users. This issue has been patched in version 6.1.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:31:37.615Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34584", "state": "PUBLISHED", "dateUpdated": "2026-04-02T19:09:02.060Z", "dateReserved": "2026-03-30T16:56:30.999Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T17:31:37.615Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nadh:listmonk:*:*:*:*:*:*:*:*", "matchCriteriaId": "BB35DDE9-7F69-4344-A42C-C17C1F1D70A5", "versionEndExcluding": "6.1.0", "versionStartIncluding": "4.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, bugs in list permission checks allows users in a multi-user environment to access to lists (which they don't have access to) under different scenarios. This only affects multi-user environments with untrusted users. This issue has been patched in version 6.1.0."}], "id": "CVE-2026-34584", "lastModified": "2026-04-10T02:03:22.047", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T18:16:30.510", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/knadh/listmonk/commit/347f5976759232c36e571cf58b4bfe33c2794f35"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/knadh/listmonk/releases/tag/v6.1.0"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/knadh/listmonk/security/advisories/GHSA-85j8-5c6w-gcpv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.1.0,6.1.0)"}}], "enrichment": {"confidence": 96.0, "confidence_source": "matching", "scores": [{"score": 96.0, "source": "matching"}]}, "original": {"product": "listmonk", "source": "cna", "vendor": "knadh"}, "product": "listmonk", "vendor": "nadh"}], "analysis": {"en": {"generated_at": "2026-04-10T03:22:38.257549+00:00", "value": {"mitigation_remediation": ["Upgrade to listmonk version 6.1.0 or later to receive the vulnerability fix.", "If an upgrade is not immediately possible, remove or disable CSV import capability for untrusted users, and restrict CSV upload permissions to trusted accounts.", "Audit current list assignments and subscriber data to detect any unauthorized access or modifications.", "Monitor application logs for anomalous CSV import activity and unauthorized list access.", "Apply any additional security hardening guidance provided by the vendor, such as enabling multi\u2011factor authentication for privileged users."], "summary": {"action": "Patch Immediately", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "The defect affects knadh\u2019s listmonk web application, impacting installations from version 4.1.0 up to but excluding version 6.1.0. All deployed environments that enable multi\u2011user mode and permit untrusted users to import CSV files are exposed. The vulnerability was fixed in the 6.1.0 release.", "description_and_impact": "The vulnerability is a broken access control flaw in the CSV import functionality of listmonk. Users with untrusted privileges in a multi\u2011user installation can gain access to mailing lists they should not see, leading to potential disclosure of subscriber data and manipulation of lists. This flaw is classified as CWE\u2011639 and, according to the CVSS score, represents a medium\u2011risk issue that can compromise confidentiality and integrity of list information.", "risk_and_exploitability": "The CVSS base score of 5.4 indicates moderate severity, while the EPSS score below 1% shows that active exploitation is unlikely at present, and the issue is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with untrusted privileges who can upload CSV data, after which the server\u2019s permission checks are bypassed. Attackers would need to be able to use the web interface to trigger the import; otherwise the vulnerability cannot be abused. Given the low likelihood of exploitation and lack of critical impact, the overall risk is considered moderate but still warranting prompt remediation."}}}}, "created": "2026-04-03T08:58:06.339252+00:00", "updated": "2026-04-10T09:45:44.527481+00:00", "vendors": ["nadh", "nadh$PRODUCT$listmonk"]}