CVE-2026-34828 affects listmonk, a self-hosted newsletter and mailing list management software, in versions from 4.1.0 to before 6.1.0. The vulnerability arises from insufficient session expiration controls, specifically the failure to invalidate existing authenticated sessions when a user changes or resets their password. Normally, password changes should invalidate all active sessions to prevent unauthorized access if credentials are compromised. However, in this case, session tokens issued prior to the password change remain valid, allowing an attacker who has obtained such a token to continue accessing the victim's account. This weakens the security guarantees of account recovery and session management. The vulnerability is categorized under CWE-613, which relates to improper session expiration. The CVSS v3.1 base score is 7.1, reflecting high severity due to network attack vector, low attack complexity, and the requirement of privileges (a valid session). The impact is primarily on confidentiality, as unauthorized access to account data is possible, with limited impact on integrity and no impact on availability. No user interaction is required for exploitation. The issue was publicly disclosed and patched in version 6.1.0 of listmonk. No known exploits in the wild have been reported yet.

The vulnerability allows attackers who have previously obtained valid session cookies to maintain persistent unauthorized access to listmonk accounts even after victims change or reset their passwords. This undermines the effectiveness of password resets as a security measure, potentially enabling prolonged data exposure, unauthorized newsletter management, and manipulation of mailing lists. Organizations relying on listmonk for communication may face confidentiality breaches, reputational damage, and compliance risks if sensitive subscriber data is exposed. The persistence of sessions post-password change also complicates incident response and recovery efforts. While the vulnerability does not directly impact system availability or integrity, the unauthorized access can lead to indirect impacts such as phishing campaigns or spam distribution through compromised accounts. The risk is heightened in environments where session tokens are not otherwise protected or monitored, and where attackers have means to steal session cookies (e.g., via network interception, XSS, or insider threats).

To mitigate this vulnerability, organizations should upgrade listmonk installations to version 6.1.0 or later, where the issue is patched. Until upgrading is possible, administrators should implement additional session management controls such as manual invalidation of all active sessions upon password changes or resets. Employing short session lifetimes and requiring re-authentication for sensitive operations can reduce exposure. Monitoring for unusual session activity and implementing secure cookie attributes (HttpOnly, Secure, SameSite) can help protect session tokens from theft. Network-level protections such as enforcing HTTPS and using VPNs can reduce the risk of session interception. Additionally, educating users on secure session practices and monitoring logs for suspicious access patterns can aid in early detection. Finally, integrating multi-factor authentication (MFA) can provide an additional security layer that limits the impact of compromised session tokens.