{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34828", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T20:52:53.283Z", "datePublished": "2026-04-02T17:32:24.756Z", "dateUpdated": "2026-04-03T17:33:57.751Z"}, "containers": {"cna": {"title": "listmonk: Active sessions remain valid after password reset and password change", "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "lang": "en", "description": "CWE-613: Insufficient Session Expiration", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/knadh/listmonk/security/advisories/GHSA-h5j9-cvrw-v5qh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/knadh/listmonk/security/advisories/GHSA-h5j9-cvrw-v5qh"}, {"name": "https://github.com/knadh/listmonk/commit/db82035d619348949512dafdaf60c86037cafc9e", "tags": ["x_refsource_MISC"], "url": "https://github.com/knadh/listmonk/commit/db82035d619348949512dafdaf60c86037cafc9e"}, {"name": "https://github.com/knadh/listmonk/releases/tag/v6.1.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/knadh/listmonk/releases/tag/v6.1.0"}], "affected": [{"vendor": "knadh", "product": "listmonk", "versions": [{"version": ">= 4.1.0, < 6.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:32:24.756Z"}, "descriptions": [{"lang": "en", "value": "listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, a session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the account even after the victim changes or resets their password. This weakens account recovery and session security guarantees. This issue has been patched in version 6.1.0."}], "source": {"advisory": "GHSA-h5j9-cvrw-v5qh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T17:33:40.871656Z", "id": "CVE-2026-34828", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T17:33:57.751Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34828", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T17:33:40.871656Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T17:33:52.285Z"}}], "cna": {"title": "listmonk: Active sessions remain valid after password reset and password change", "source": {"advisory": "GHSA-h5j9-cvrw-v5qh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "knadh", "product": "listmonk", "versions": [{"status": "affected", "version": ">= 4.1.0, < 6.1.0"}]}], "references": [{"url": "https://github.com/knadh/listmonk/security/advisories/GHSA-h5j9-cvrw-v5qh", "name": "https://github.com/knadh/listmonk/security/advisories/GHSA-h5j9-cvrw-v5qh", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/knadh/listmonk/commit/db82035d619348949512dafdaf60c86037cafc9e", "name": "https://github.com/knadh/listmonk/commit/db82035d619348949512dafdaf60c86037cafc9e", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/knadh/listmonk/releases/tag/v6.1.0", "name": "https://github.com/knadh/listmonk/releases/tag/v6.1.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, a session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the account even after the victim changes or resets their password. This weakens account recovery and session security guarantees. This issue has been patched in version 6.1.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-613", "description": "CWE-613: Insufficient Session Expiration"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:32:24.756Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34828", "state": "PUBLISHED", "dateUpdated": "2026-04-03T17:33:57.751Z", "dateReserved": "2026-03-30T20:52:53.283Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T17:32:24.756Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nadh:listmonk:*:*:*:*:*:*:*:*", "matchCriteriaId": "BB35DDE9-7F69-4344-A42C-C17C1F1D70A5", "versionEndExcluding": "6.1.0", "versionStartIncluding": "4.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, a session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the account even after the victim changes or resets their password. This weakens account recovery and session security guarantees. This issue has been patched in version 6.1.0."}], "id": "CVE-2026-34828", "lastModified": "2026-04-15T17:45:10.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T18:16:33.713", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/knadh/listmonk/commit/db82035d619348949512dafdaf60c86037cafc9e"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/knadh/listmonk/releases/tag/v6.1.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/knadh/listmonk/security/advisories/GHSA-h5j9-cvrw-v5qh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.1.0,6.1.0)"}}], "enrichment": {"confidence": 96.0, "confidence_source": "matching", "scores": [{"score": 96.0, "source": "matching"}]}, "original": {"product": "listmonk", "source": "cna", "vendor": "knadh"}, "product": "listmonk", "vendor": "nadh"}], "analysis": {"en": {"generated_at": "2026-04-02T22:29:44.720365+00:00", "value": {"mitigation_remediation": ["Upgrade to listmonk version 6.1.0 or later, which includes the session\u2011invalidation patch."], "summary": {"action": "Patch Immediately", "impact": "Persisting authenticated sessions after password changes allow continued unauthorized access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of the open\u2011source newsletter manager generically referred to as listmonk, from version 4.1.0 through versions just before 6.1.0. Updates in version 6.1.0 include a patch that ensures sessions are invalidated when the user\u2019s password is changed or reset.", "description_and_impact": "An authenticated session that was issued prior to a password reset or change remains valid, allowing an attacker who has already stolen that session cookie to continue accessing the compromised account. This flaw undermines the core security guarantee that a password change or reset invalidates all previous session credentials, potentially enabling ongoing exploitation and data theft, while also eroding the effectiveness of account recovery procedures. The weakness involves improper session invalidation and is classified as CWE\u2011613.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a moderate to high severity, and while the EPSS score is unavailable, the flaw is straightforward to exploit remotely: an attacker with an existing valid session cookie can reuse it after the victim changes their password, because the application does not revoke or invalidate the cookie. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, but the absence of an EPSS does not preclude exploitation. System administrators should consider this a significant risk, especially in environments where sessions may be captured over insecure channels or where user credentials must be safeguarded after password changes."}}}}, "created": "2026-04-03T08:58:05.284378+00:00", "updated": "2026-04-03T09:17:17.487642+00:00", "vendors": ["nadh", "nadh$PRODUCT$listmonk"]}