DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-34828: CVE-2026-34828: Insufficient Session Expiration in listmonk

#security #cve #cybersecurity

CVE-2026-34828: Insufficient Session Expiration in listmonk

Vulnerability ID: CVE-2026-34828
CVSS Score: 7.1
Published: 2026-04-01

Listmonk versions 4.1.0 through 6.0.x contain an Insufficient Session Expiration vulnerability (CWE-613) within the application's authentication lifecycle handlers. The software fails to revoke existing authenticated sessions when a user undergoes a password reset or performs an intentional password change. This oversight enables an attacker who has acquired a valid session cookie to maintain unauthorized, persistent access to the compromised account, successfully bypassing the primary defense mechanism of credential rotation.

TL;DR

Listmonk prior to version 6.1.0 does not invalidate active session tokens upon password changes or resets. Attackers with stolen session cookies can maintain persistent authenticated access despite victim credential rotation.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-613
  • Attack Vector: Network
  • CVSS Score: 7.1 (High)
  • Exploit Status: Proof of Concept (PoC) available
  • KEV Status: Not Listed
  • Impact: Persistent Unauthorized Access

Affected Systems

  • listmonk standalone Go binary
  • listmonk Docker container
  • listmonk: >= 4.1.0, < 6.1.0 (Fixed in: 6.1.0)

Code Analysis

Commit: db82035

Fix: Implement session revocation on password change

Exploit Details

  • Local Analysis: HTTP request snippet demonstrating session reuse against /api/profile endpoint post-password reset.

Mitigation Strategies

  • Upgrade application to a patched version
  • Perform manual database session purge
  • Deploy WAF rules for impossible travel detection

Remediation Steps:

  1. Verify the current running version of listmonk. If the version is >= 4.1.0 and < 6.1.0, the instance is vulnerable.
  2. Backup the listmonk PostgreSQL database prior to performing any upgrades or manual interventions.
  3. Update the listmonk binary or pull the latest listmonk:latest / listmonk:v6.1.0 Docker image.
  4. Restart the listmonk service to apply the updated container or binary.
  5. If upgrading is not immediately possible, connect to the listmonk PostgreSQL database and execute DELETE FROM sessions; to force a global authentication reset.

References

Read the full report for CVE-2026-34828 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)