{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34584", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T16:56:30.999Z", "datePublished": "2026-04-02T17:31:37.615Z", "dateUpdated": "2026-04-02T19:09:02.060Z"}, "containers": {"cna": {"title": "listmonk: Broken Access Control in CSV Import (Unauthorized List Assignment)", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/knadh/listmonk/security/advisories/GHSA-85j8-5c6w-gcpv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/knadh/listmonk/security/advisories/GHSA-85j8-5c6w-gcpv"}, {"name": "https://github.com/knadh/listmonk/commit/347f5976759232c36e571cf58b4bfe33c2794f35", "tags": ["x_refsource_MISC"], "url": "https://github.com/knadh/listmonk/commit/347f5976759232c36e571cf58b4bfe33c2794f35"}, {"name": "https://github.com/knadh/listmonk/releases/tag/v6.1.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/knadh/listmonk/releases/tag/v6.1.0"}], "affected": [{"vendor": "knadh", "product": "listmonk", "versions": [{"version": ">= 4.1.0, < 6.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:31:37.615Z"}, "descriptions": [{"lang": "en", "value": "listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, bugs in list permission checks allows users in a multi-user environment to access to lists (which they don't have access to) under different scenarios. This only affects multi-user environments with untrusted users. This issue has been patched in version 6.1.0."}], "source": {"advisory": "GHSA-85j8-5c6w-gcpv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T19:08:49.596406Z", "id": "CVE-2026-34584", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T19:09:02.060Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34584", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T19:08:49.596406Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T19:08:57.370Z"}}], "cna": {"title": "listmonk: Broken Access Control in CSV Import (Unauthorized List Assignment)", "source": {"advisory": "GHSA-85j8-5c6w-gcpv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "knadh", "product": "listmonk", "versions": [{"status": "affected", "version": ">= 4.1.0, < 6.1.0"}]}], "references": [{"url": "https://github.com/knadh/listmonk/security/advisories/GHSA-85j8-5c6w-gcpv", "name": "https://github.com/knadh/listmonk/security/advisories/GHSA-85j8-5c6w-gcpv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/knadh/listmonk/commit/347f5976759232c36e571cf58b4bfe33c2794f35", "name": "https://github.com/knadh/listmonk/commit/347f5976759232c36e571cf58b4bfe33c2794f35", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/knadh/listmonk/releases/tag/v6.1.0", "name": "https://github.com/knadh/listmonk/releases/tag/v6.1.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, bugs in list permission checks allows users in a multi-user environment to access to lists (which they don't have access to) under different scenarios. This only affects multi-user environments with untrusted users. This issue has been patched in version 6.1.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:31:37.615Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34584", "state": "PUBLISHED", "dateUpdated": "2026-04-02T19:09:02.060Z", "dateReserved": "2026-03-30T16:56:30.999Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T17:31:37.615Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, bugs in list permission checks allows users in a multi-user environment to access to lists (which they don't have access to) under different scenarios. This only affects multi-user environments with untrusted users. This issue has been patched in version 6.1.0."}], "id": "CVE-2026-34584", "lastModified": "2026-04-02T18:16:30.510", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T18:16:30.510", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/knadh/listmonk/commit/347f5976759232c36e571cf58b4bfe33c2794f35"}, {"source": "security-advisories@github.com", "url": "https://github.com/knadh/listmonk/releases/tag/v6.1.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/knadh/listmonk/security/advisories/GHSA-85j8-5c6w-gcpv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.1.0,6.1.0)"}}], "enrichment": {"confidence": 96.0, "confidence_source": "matching", "scores": [{"score": 96.0, "source": "matching"}]}, "original": {"product": "listmonk", "source": "cna", "vendor": "knadh"}, "product": "listmonk", "vendor": "nadh"}], "analysis": {"en": {"generated_at": "2026-04-02T22:29:58.287794+00:00", "value": {"mitigation_remediation": ["Upgrade to listmonk 6.1.0 or later to apply the vendor patch.", "If an upgrade cannot be performed immediately, restrict untrusted users from performing CSV import and ensure they have no list assignment permissions.", "Verify that all user permissions are correctly configured and that only trusted administrators can manage lists."], "summary": {"action": "Patch", "impact": "Unauthorized access to email lists and potential list assignment by untrusted users"}, "threat_synthesis": {"affected_systems": "Any instance of listmonk version 4.1.0 up through 6.0.x that runs in a multi\u2011user configuration with untrusted users is vulnerable. The issue has been fixed in version 6.1.0 and later.", "description_and_impact": "listmonk, a self\u2011hosted newsletter manager, contains a broken access control flaw that allows users in a multi\u2011user environment to view or assign lists they should not have access to. The flaw, classified under CWE\u2011639, enables unauthorized list assignment during CSV import, potentially compromising email list confidentiality and integrity.", "risk_and_exploitability": "The vulnerability scores a CVSS of 5.4, indicating moderate severity. EPSS data is not available and the flaw is not listed in the CISA KEV catalog, suggesting no publicly known exploit in use. The likely attack vector requires an authentic user with untrusted privileges in a multi\u2011user environment, inferred from the description of permission checks failing during CSV import. Without an upgrade, attackers can gain additional list visibility and potentially add themselves to mailing lists."}}}}, "created": "2026-04-03T08:58:06.339252+00:00", "updated": "2026-04-03T09:17:18.497568+00:00", "vendors": ["nadh", "nadh$PRODUCT$listmonk"]}