CVE-2026-39912
Published: 09 April 2026
Summary
CVE-2026-39912 is a critical-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Chocapikk (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating the code flaw in AuthController.php and MailLinkService.php that exposes authentication tokens in loginWithMailLink responses directly prevents exploitation and unauthorized account access.
Disabling the unnecessary login_with_mail_link_enable feature prohibits the vulnerable endpoint from exposing tokens to unauthenticated attackers.
Monitoring HTTP responses from the loginWithMailLink endpoint for unauthorized disclosure of authentication tokens identifies exploitation attempts in progress.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote exploitation of a public-facing web application (loginWithMailLink endpoint) to leak and obtain valid authentication tokens, directly enabling T1190 for initial access and T1078 for abusing valid accounts to gain full access including admin privileges.
NVD Description
V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive…
more
the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges.
Deeper analysisAI
CVE-2026-39912 is a high-severity vulnerability (CVSS 3.1 score of 9.1) affecting V2Board versions 1.6.1 through 1.7.4 and Xboard versions through 0.1.9, stemming from CWE-201 (Exposure of Sensitive Information to an Unauthorized Actor). When the login_with_mail_link_enable feature is active, these applications expose authentication tokens directly in the HTTP response bodies of the loginWithMailLink endpoint. This flaw allows attackers to extract full authentication URLs containing tokens without prior authentication.
Unauthenticated remote attackers can exploit this vulnerability by sending a POST request to the loginWithMailLink endpoint using a known email address associated with any user account. The response provides the complete authentication URL with an embedded token, which the attacker can then submit to the token2Login endpoint. This exchanges the token for a valid bearer token, granting full account access, including administrative privileges if the targeted account has them.
Advisories and patch references, including a detailed analysis on chocapikk.com and GitHub sources for Xboard, point to mitigations via code fixes. A specific commit (121511523f04882ec0c7447acd9b8ebcb8a47957) and pull request (#873) in the Xboard repository address the token exposure in AuthController.php and MailLinkService.php. Security practitioners should update to patched versions where available, disable the login_with_mail_link_enable feature if not required, and review logs for suspicious POST requests to these endpoints.
Details
- CWE(s)