CVE-2026-39912 | THREATINT

Description

V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges.

PUBLISHED Reserved 2026-04-07 | Published 2026-04-09 | Updated 2026-05-25 | Assigner VulnCheck

CRITICAL: 9.1CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Problem types

CWE-201 Insertion of Sensitive Information Into Sent Data

Product status

Default status

unknown

1.6.1 (semver)

affected

bdb10bed32c5f37df2f0872c3cb354e9b7a293bd (git)

affected

Default status

unaffected

Any version

affected

121511523f04882ec0c7447acd9b8ebcb8a47957 (git)

unaffected

Credits

Valentin Lobstein (Chocapikk) finder

References

chocapikk.com/posts/2026/xboard-v2board-account-takeover/ technical-description exploit

github.com/v2board/v2board/pull/981 issue-tracking mitigation

github.com/cedar2025/Xboard/pull/873 issue-tracking mitigation

github.com/...p/Http/Controllers/Passport/AuthController.php related

github.com/...78d660bc/app/Services/Auth/MailLinkService.php related

github.com/...ttp/Controllers/V1/Passport/AuthController.php related

github.com/...ommit/121511523f04882ec0c7447acd9b8ebcb8a47957 patch

www.vulncheck.com/...on-token-exposure-via-loginwithmaillink third-party-advisory

cve.org (CVE-2026-39912)

nvd.nist.gov (CVE-2026-39912)

Download JSON

help @ threatint.eu