CVE-2026-34828
Published: 02 April 2026
Summary
CVE-2026-34828 is a high-severity Insufficient Session Expiration (CWE-613) vulnerability in Nadh Listmonk. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Web Session Cookie (T1550.004); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires automatic termination of user sessions upon organization-defined trigger events such as password changes or resets, directly preventing persistent access via stale session cookies after account security actions.
Ensures timely remediation of the specific session management flaw through identification, reporting, and patching to version 6.1.0 or later, eliminating the vulnerability.
Mandates account management processes including disabling or reviewing access following credential changes like password resets, supporting mitigation of continued unauthorized session use.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The session management flaw (insufficient invalidation on password change) directly enables persistent use of obtained web session cookies for unauthorized access to the application account, bypassing expected termination.
NVD Description
listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, a session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change.…
more
As a result, an attacker who has already obtained a valid session cookie can retain access to the account even after the victim changes or resets their password. This weakens account recovery and session security guarantees. This issue has been patched in version 6.1.0.
Deeper analysisAI
CVE-2026-34828 is a session management vulnerability (CWE-613) affecting listmonk, a standalone, self-hosted newsletter and mailing list manager. The issue impacts versions from 4.1.0 up to but not including 6.1.0, where previously issued authenticated sessions remain valid even after sensitive account security changes such as password resets or password changes. This flaw undermines standard account recovery and session invalidation mechanisms, allowing persistent access via session cookies despite user-initiated security actions. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact with low privileges required.
An authenticated attacker with low privileges (PR:L) who has obtained a valid session cookie can exploit this vulnerability over the network with low complexity and no user interaction. Upon exploitation, the attacker retains unauthorized access to the victim's account even after the victim performs a password reset or change, bypassing expected session termination. This enables continued high-level confidentiality breaches, such as accessing sensitive mailing list data, and limited integrity modifications, while availability remains unaffected.
The listmonk security advisory (GHSA-h5j9-cvrw-v5qh) and release notes for version 6.1.0 detail the patch, implemented via commit db82035d619348949512dafdaf60c86037cafc9e, which ensures sessions are properly invalidated upon password changes or resets. Security practitioners should upgrade affected listmonk instances to version 6.1.0 or later to mitigate the issue, and review existing sessions for potential compromise by logging out all users or implementing additional session controls where feasible.
Details
- CWE(s)