Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-39912

Summary
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At-09 Apr, 2026 | 18:35
Updated At-13 Apr, 2026 | 15:38
Rejected At-
Credits

v2board / Xboard Authentication Token Exposure via loginWithMailLink

V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulnCheck
Assigner Org ID:83251b91-4cc7-4094-a5c7-464a1b83ea10
Published At:09 Apr, 2026 | 18:35
Updated At:13 Apr, 2026 | 15:38
Rejected At:
▼CVE Numbering Authority (CNA)
v2board / Xboard Authentication Token Exposure via loginWithMailLink

V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges.

Affected Products
Vendor
v2board
Product
v2board
Repo
https://github.com/v2board/v2board
Default Status
unknown
Versions
Affected
  • From 1.6.1 through 1.7.4 (semver)
  • From bdb10bed32c5f37df2f0872c3cb354e9b7a293bd through 0ca47622a50116d0ddd7ffb316b157afb57d25e8 (git)
Vendor
cedar2025
Product
Xboard
Repo
https://github.com/cedar2025/Xboard
Default Status
unaffected
Versions
Affected
  • From 0 through 0.1.9 (semver)
Unaffected
  • 121511523f04882ec0c7447acd9b8ebcb8a47957 (git)
Problem Types
TypeCWE IDDescription
CWECWE-201CWE-201 Insertion of Sensitive Information Into Sent Data
Type: CWE
CWE ID: CWE-201
Description: CWE-201 Insertion of Sensitive Information Into Sent Data
Metrics
VersionBase scoreBase severityVector
4.09.1CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
3.19.1CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Version: 4.0
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Version: 3.1
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Valentin Lobstein (Chocapikk)
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://chocapikk.com/posts/2026/xboard-v2board-account-takeover/
technical-description
exploit
https://github.com/v2board/v2board/pull/981
issue-tracking
mitigation
https://github.com/cedar2025/Xboard/pull/873
issue-tracking
mitigation
https://github.com/v2board/v2board/blob/0ca47622a50116d0ddd7ffb316b157afb57d25e8/app/Http/Controllers/Passport/AuthController.php#L71
related
https://github.com/cedar2025/Xboard/blob/1fe6531924cc1ec662a88b9ef725afcf78d660bc/app/Services/Auth/MailLinkService.php#L49
related
https://github.com/cedar2025/Xboard/blob/1fe6531924cc1ec662a88b9ef725afcf78d660bc/app/Http/Controllers/V1/Passport/AuthController.php#L51
related
https://github.com/cedar2025/Xboard/commit/121511523f04882ec0c7447acd9b8ebcb8a47957
patch
https://www.vulncheck.com/advisories/v2board-xboard-authentication-token-exposure-via-loginwithmaillink
third-party-advisory
Hyperlink: https://chocapikk.com/posts/2026/xboard-v2board-account-takeover/
Resource:
technical-description
exploit
Hyperlink: https://github.com/v2board/v2board/pull/981
Resource:
issue-tracking
mitigation
Hyperlink: https://github.com/cedar2025/Xboard/pull/873
Resource:
issue-tracking
mitigation
Hyperlink: https://github.com/v2board/v2board/blob/0ca47622a50116d0ddd7ffb316b157afb57d25e8/app/Http/Controllers/Passport/AuthController.php#L71
Resource:
related
Hyperlink: https://github.com/cedar2025/Xboard/blob/1fe6531924cc1ec662a88b9ef725afcf78d660bc/app/Services/Auth/MailLinkService.php#L49
Resource:
related
Hyperlink: https://github.com/cedar2025/Xboard/blob/1fe6531924cc1ec662a88b9ef725afcf78d660bc/app/Http/Controllers/V1/Passport/AuthController.php#L51
Resource:
related
Hyperlink: https://github.com/cedar2025/Xboard/commit/121511523f04882ec0c7447acd9b8ebcb8a47957
Resource:
patch
Hyperlink: https://www.vulncheck.com/advisories/v2board-xboard-authentication-token-exposure-via-loginwithmaillink
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:disclosure@vulncheck.com
Published At:09 Apr, 2026 | 19:16
Updated At:13 Apr, 2026 | 15:02

V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.09.1CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.19.1CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Type: Secondary
Version: 4.0
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-201Primarydisclosure@vulncheck.com
CWE ID: CWE-201
Type: Primary
Source: disclosure@vulncheck.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://chocapikk.com/posts/2026/xboard-v2board-account-takeover/disclosure@vulncheck.com
N/A
https://github.com/cedar2025/Xboard/blob/1fe6531924cc1ec662a88b9ef725afcf78d660bc/app/Http/Controllers/V1/Passport/AuthController.php#L51disclosure@vulncheck.com
N/A
https://github.com/cedar2025/Xboard/blob/1fe6531924cc1ec662a88b9ef725afcf78d660bc/app/Services/Auth/MailLinkService.php#L49disclosure@vulncheck.com
N/A
https://github.com/cedar2025/Xboard/commit/121511523f04882ec0c7447acd9b8ebcb8a47957disclosure@vulncheck.com
N/A
https://github.com/cedar2025/Xboard/pull/873disclosure@vulncheck.com
N/A
https://github.com/v2board/v2board/blob/0ca47622a50116d0ddd7ffb316b157afb57d25e8/app/Http/Controllers/Passport/AuthController.php#L71disclosure@vulncheck.com
N/A
https://github.com/v2board/v2board/pull/981disclosure@vulncheck.com
N/A
https://www.vulncheck.com/advisories/v2board-xboard-authentication-token-exposure-via-loginwithmaillinkdisclosure@vulncheck.com
N/A
Hyperlink: https://chocapikk.com/posts/2026/xboard-v2board-account-takeover/
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://github.com/cedar2025/Xboard/blob/1fe6531924cc1ec662a88b9ef725afcf78d660bc/app/Http/Controllers/V1/Passport/AuthController.php#L51
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://github.com/cedar2025/Xboard/blob/1fe6531924cc1ec662a88b9ef725afcf78d660bc/app/Services/Auth/MailLinkService.php#L49
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://github.com/cedar2025/Xboard/commit/121511523f04882ec0c7447acd9b8ebcb8a47957
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://github.com/cedar2025/Xboard/pull/873
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://github.com/v2board/v2board/blob/0ca47622a50116d0ddd7ffb316b157afb57d25e8/app/Http/Controllers/Passport/AuthController.php#L71
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://github.com/v2board/v2board/pull/981
Source: disclosure@vulncheck.com
Resource: N/A
Hyperlink: https://www.vulncheck.com/advisories/v2board-xboard-authentication-token-exposure-via-loginwithmaillink
Source: disclosure@vulncheck.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1Records found
CVE-2024-3502
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
ShareView Details
Matching Score-4
Assigner-Protect AI (formerly huntr.dev)
CVSS Score-9.1||CRITICAL
EPSS-0.23% / 45.60%
||
7 Day CHG~0.00%
Published-14 Nov, 2024 | 17:34
Updated-15 Oct, 2025 | 13:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Exposure of Sensitive Information in lunary-ai/lunary

In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. This issue occurs when authenticated users inspect responses from `GET /v1/users/me` and `GET /v1/users/me/org` endpoints. The exposed account recovery hashes, while not directly related to user passwords, represent sensitive information that should not be accessible to unauthorized parties. Exposing these hashes could potentially facilitate account recovery attacks or other malicious activities. The vulnerability was addressed in version 1.2.6.

Action-Not Available
Vendor-Lunary LLC
Product-lunarylunary-ai/lunarylunary-ai\/lunary
CWE ID-CWE-201
Insertion of Sensitive Information Into Sent Data
CWE ID-CWE-922
Insecure Storage of Sensitive Information
Details not found