CVE-2026-39912 - Vulnerability Details

- v2board / Xboard Authentication Token Exposure via loginWithMailLink

Description

V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges.

Published: 2026-04-09

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The loginWithMailLink endpoint returns a full authentication URL that contains an authentication token in the HTTP response body when the login_with_mail_link_enable feature is active. An unauthenticated attacker can submit a known email address to this endpoint and receive a complete login URL. By sending that URL to the token2Login endpoint, the attacker obtains a bearer token that grants full account access, including administrative privileges. The flaw is a direct information‑exposure weakness (CWE‑201).

Affected Systems

Versions of cedar2025 Xboard from 0.1.0 through 0.1.9 and v2board from 1.6.1 through 1.7.4 are affected when the login_with_mail_link_enable feature is enabled.

Risk and Exploitability

The CVSS base score of 9.1 marks the vulnerability as critical. An attacker can exploit it from any network location by simply POSTing a known email address to the loginWithMailLink endpoint; no authentication, special permissions, or code execution are required. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of exposure controls and the ease of obtaining valid tokens make the risk immediate and high.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

v2board

unknown

Version	Status	Constraints
`1.6.1`	affected	≤ 1.7.4
`bdb10bed32c5f37df2f0872c3cb354e9b7a293bd`	affected	≤ 0ca47622a50116d0ddd7ffb316b157afb57d25e8

cedar2025

Xboard

unaffected

Version	Status	Constraints
`0`	affected	≤ 0.1.9
`121511523f04882ec0c7447acd9b8ebcb8a47957`	unaffected	—

No data.

Vendor Product Confidence Versions

Cedar2025

Xboard

100%

Version	Status	Scheme	Platform
`[0,0.1.9]`	affected	generic	—
`121511523f04882ec0c7447acd9b8ebcb8a47957`	unaffected	code_commit	—

V2board

100%

Version	Status	Scheme	Platform
`[1.6.1,1.7.4]`	affected	semver	—
`[bdb10bed32c5f37df2f0872c3cb354e9b7a293bd,0ca47622a50116d0ddd7ffb316b157afb57d25e8]`	affected	code_commit	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade v2board to 1.7.5 or later and Xboard to 0.1.10 or later, where the loginWithMailLink endpoint no longer includes the authentication token in the response.
If an upgrade is not possible, disable the login_with_mail_link_enable feature in the configuration to prevent tokens from being exposed.
After disabling or updating, verify that the loginWithMailLink endpoint no longer returns a token or full authentication URL in the HTTP response body.

Generated by OpenCVE AI on April 9, 2026 at 21:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0006.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://chocapikk.com/posts/2026/xboard-v2board-account-takeover/
https://github.com/cedar2025/Xboard/blob/1fe6531924cc1ec662a88b9ef725afcf78d660bc/app/Http/Controllers/V1/Passport/AuthController.php#L51
https://github.com/cedar2025/Xboard/blob/1fe6531924cc1ec662a88b9ef725afcf78d660bc/app/Services/Auth/MailLinkService.php#L49
https://github.com/cedar2025/Xboard/commit/121511523f04882ec0c7447acd9b8ebcb8a47957
https://github.com/cedar2025/Xboard/pull/873
https://github.com/v2board/v2board/blob/0ca47622a50116d0ddd7ffb316b157afb57d25e8/app/Http/Controllers/Passport/AuthController.php#L71
https://github.com/v2board/v2board/pull/981
https://www.vulncheck.com/advisories/v2board-xboard-authentication-token-exposure-via-loginwithmaillink

History

Fri, 10 Apr 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cedar2025 Cedar2025 xboard V2board V2board v2board
Vendors & Products		Cedar2025 Cedar2025 xboard V2board V2board v2board

Thu, 09 Apr 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges.
Title		v2board / Xboard Authentication Token Exposure via loginWithMailLink
Weaknesses		CWE-201
References		https://chocapikk.com/posts/2026/xboard-v2board-account-takeover/ https://github.com/cedar2025/Xboard/blob/1fe6531924cc1ec662a88b9ef725afcf78d660bc/app/Http/Controllers/V1/Passport/AuthController.php#L51 https://github.com/cedar2025/Xboard/blob/1fe6531924cc1ec662a88b9ef725afcf78d660bc/app/Services/Auth/MailLinkService.php#L49 https://github.com/cedar2025/Xboard/commit/121511523f04882ec0c7447acd9b8ebcb8a47957 https://github.com/cedar2025/Xboard/pull/873 https://github.com/v2board/v2board/blob/0ca47622a50116d0ddd7ffb316b157afb57d25e8/app/Http/Controllers/Passport/AuthController.php#L71 https://github.com/v2board/v2board/pull/981 https://www.vulncheck.com/advisories/v2board-xboard-authentication-token-exposure-via-loginwithmaillink
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}` cvssV4_0 `{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Cedar2025 Xboard

V2board V2board

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-04-09T18:35:35.569Z

Updated: 2026-04-09T18:51:49.345Z

Reserved: 2026-04-07T20:57:06.209Z

Link: CVE-2026-39912

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-09T19:16:25.920

Modified: 2026-04-09T19:16:25.920

Link: CVE-2026-39912

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-10T09:31:43Z

Weaknesses

CWE-201

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object