CVE-2026-34584

Published: Apr 2, 2026Modified: Apr 10, 2026

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: security-advisories@github.com (Secondary)

Description

listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, bugs in list permission checks allows users in a multi-user environment to access to lists (which they don't have access to) under different scenarios. This only affects multi-user environments with untrusted users. This issue has been patched in version 6.1.0.

Affected (1)

Products: Nadh: Listmonk

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Nadh Listmonk	From 4.1.0 to 6.1.0

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (3)

https://github.com/knadh/listmonk/commit/347f5976759232c36e571cf58b4bfe33c2794f35

Source: security-advisories@github.com

Patch

https://github.com/knadh/listmonk/releases/tag/v6.1.0

Source: security-advisories@github.com

ProductRelease Notes

https://github.com/knadh/listmonk/security/advisories/GHSA-85j8-5c6w-gcpv

Source: security-advisories@github.com

PatchVendor Advisory

Timeline

No history available yet.