CVE-2026-39912 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: April 9, 2026
V2Board - Authentication Bypass
Published: April 9, 2026Updated: April 9, 2026PoC AvailableRemote Exploitable
Overview
V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 contain an authentication bypass caused by exposure of authentication tokens in HTTP response bodies of the loginWithMailLink endpoint, letting unauthenticated attackers gain full account access including admin privileges, exploit requires login_with_mail_link_enable feature active.
Severity & Score
Severity: Critical
CVSS Score: 9.1
Impact
Unauthenticated attackers can obtain valid bearer tokens, gaining full account and admin access.
Mitigation
Update to a version later than 1.7.4 for V2Board and later than 0.1.9 for Xboard or latest available versions.
References
- https://github.com/v2board/v2board/pull/981
- https://www.vulncheck.com/advisories/v2board-xboard-authentication-token-exposure-via-loginwithmaillink
- https://chocapikk.com/posts/2026/xboard-v2board-account-takeover/
- https://github.com/cedar2025/Xboard/blob/1fe6531924cc1ec662a88b9ef725afcf78d660bc/app/Http/Controllers/V1/Passport/AuthController.php#L51
- https://github.com/cedar2025/Xboard/blob/1fe6531924cc1ec662a88b9ef725afcf78d660bc/app/Services/Auth/MailLinkService.php#L49
- https://github.com/cedar2025/Xboard/commit/121511523f04882ec0c7447acd9b8ebcb8a47957
- https://github.com/cedar2025/Xboard/pull/873
- https://github.com/v2board/v2board/blob/0ca47622a50116d0ddd7ffb316b157afb57d25e8/app/Http/Controllers/Passport/AuthController.php#L71
Related Resources
Details
- CVE ID
- CVE-2026-39912
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- broken_authentication
- Status
- new
CWE
- CWE-201
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N