v2board / Xboard Authentication Token Exposure via loginWithMailLink

Advisories

v2board / Xboard Authentication Token Exposure via loginWithMailLink

severity: critical
date: 4/9/2026
Affecting: v2board 1.6.1 <= 1.7.4
Xboard <= 0.1.9
CVE: CVE-2026-39912
CWE: CWE-201 Insertion of Sensitive Information Into Sent Data
CVSS: 9.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References: Chocapikk Researcher Blog
v2board Pull Request
Xboard Pull Request
v2board Vulnerable Code #L71
Xboard Vulnerable Code #L49
Xboard Vulnerable Code #L51
Xboard Patch Commit
Credit: Valentin Lobstein (Chocapikk)
Description: V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo