CVE-2026-34828: listmonk's active sessions remain valid after password reset and password change

April 1, 2026 (updated April 6, 2026)

A session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the account even after the victim changes or resets their password.

This weakens account recovery and session security guarantees. I reproduced the issue on listmonk v6.0.0.

References

github.com/advisories/GHSA-h5j9-cvrw-v5qh
github.com/knadh/listmonk
github.com/knadh/listmonk/commit/db82035d619348949512dafdaf60c86037cafc9e
github.com/knadh/listmonk/releases/tag/v6.1.0
github.com/knadh/listmonk/security/advisories/GHSA-h5j9-cvrw-v5qh
nvd.nist.gov/vuln/detail/CVE-2026-34828

Code Behaviors & Features

Detect and mitigate CVE-2026-34828 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →