CVE-2026-34828: CWE-613: Insufficient Session Expiration in knadh listmonk
listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, a session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the account even after the victim changes or resets their password. This weakens account recovery and session security guarantees. This issue has been patched in version 6.1.0.
AI Analysis
Technical Summary
CVE-2026-34828 is a session management vulnerability in listmonk, a self-hosted newsletter and mailing list manager. Between versions 4.1.0 and before 6.1.0, sessions issued prior to password changes or resets remain valid, allowing attackers who have obtained a valid session cookie to retain access even after the victim updates their password. This insufficient session expiration (CWE-613) undermines the security guarantees of account recovery and session management. The vulnerability has been patched in version 6.1.0.
Potential Impact
An attacker who has already obtained a valid session cookie can continue to access the affected account even after the legitimate user changes or resets their password. This compromises the effectiveness of password resets as a security measure and allows persistent unauthorized access. The confidentiality of the account is at high risk, while integrity impact is limited and availability is not affected.
Mitigation Recommendations
Upgrade listmonk to version 6.1.0 or later, where this session management vulnerability has been fixed. Since this is a self-hosted product, administrators must apply the update themselves to ensure sessions are properly invalidated after password changes or resets.
CVE-2026-34828: CWE-613: Insufficient Session Expiration in knadh listmonk
Description
listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, a session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the account even after the victim changes or resets their password. This weakens account recovery and session security guarantees. This issue has been patched in version 6.1.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-34828 is a session management vulnerability in listmonk, a self-hosted newsletter and mailing list manager. Between versions 4.1.0 and before 6.1.0, sessions issued prior to password changes or resets remain valid, allowing attackers who have obtained a valid session cookie to retain access even after the victim updates their password. This insufficient session expiration (CWE-613) undermines the security guarantees of account recovery and session management. The vulnerability has been patched in version 6.1.0.
Potential Impact
An attacker who has already obtained a valid session cookie can continue to access the affected account even after the legitimate user changes or resets their password. This compromises the effectiveness of password resets as a security measure and allows persistent unauthorized access. The confidentiality of the account is at high risk, while integrity impact is limited and availability is not affected.
Mitigation Recommendations
Upgrade listmonk to version 6.1.0 or later, where this session management vulnerability has been fixed. Since this is a self-hosted product, administrators must apply the update themselves to ensure sessions are properly invalidated after password changes or resets.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T20:52:53.283Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cead0fe6bfc5ba1df180b1
Added to database: 4/2/2026, 5:53:19 PM
Last enriched: 4/9/2026, 10:43:38 PM
Last updated: 5/20/2026, 9:40:23 PM
Views: 89
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.