CVE-2026-34584

Published: Apr 02, 2026 Last Modified: Apr 02, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 5,4
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: low
Integrity: low
Availability: none

Description

AI Translation Available

listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, bugs in list permission checks allows users in a multi-user environment to access to lists (which they don't have access to) under different scenarios. This only affects multi-user environments with untrusted users. This issue has been patched in version 6.1.0.

639

Authorization Bypass Through User-Controlled Key

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control
Potential Impacts:
Bypass Protection Mechanism Gain Privileges Or Assume Identity
Applicable Platforms
All platforms may be affected
Likelihood of Exploit: High
View CWE Details
https://github.com/knadh/listmonk/commit/347f5976759232c36e…
https://github.com/knadh/listmonk/commit/347f5976759232c36e571cf58b4bfe33c2794f…
https://github.com/knadh/listmonk/releases/tag/v6.1.0
https://github.com/knadh/listmonk/releases/tag/v6.1.0
https://github.com/knadh/listmonk/security/advisories/GHSA-…
https://github.com/knadh/listmonk/security/advisories/GHSA-85j8-5c6w-gcpv