CVE-2026-34828
listmonk: Active sessions remain valid after password reset and password change
CVSS Score
7.1
EPSS Score
0.0%
EPSS Percentile
1th
listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, a session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the account even after the victim changes or resets their password. This weakens account recovery and session security guarantees. This issue has been patched in version 6.1.0.
| CWE | CWE-613 |
| Vendor | knadh |
| Product | listmonk |
| Published | Apr 2, 2026 |
| Last Updated | Apr 3, 2026 |
Stay Ahead of the Next One
Get instant alerts for knadh listmonk
Be the first to know when new high vulnerabilities affecting knadh listmonk are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None
Affected Versions
knadh / listmonk
>= 4.1.0, < 6.1.0