CVE-2026-34828

Name of the Vulnerable Software and Affected Versions listmonk versions 4.1.0 through 6.0.0

Description listmonk, a self-hosted newsletter and mailing list manager, has a session management issue. Previously issued authenticated sessions remain valid after sensitive account security changes, such as password reset or password change. This allows an attacker with a valid session cookie to maintain access to an account even after the victim changes or resets their password, weakening account recovery and session security. The issue occurs because existing sessions are not revoked after account credentials are updated. This impacts all authenticated users, including those with TOTP enabled. The vulnerability was reproduced on version 6.0.0. The application updates account credentials successfully, but existing active sessions are not revoked afterward. The password reset flow and authenticated profile update flow are affected. Relevant code areas include cmd/auth.go, cmd/users.go, and internal/core/users.go.

Recommendations Upgrade to listmonk version 6.1.0 or later.