CVE-2026-34584 Overview
CVE-2026-34584 is an authorization bypass vulnerability discovered in listmonk, a standalone, self-hosted newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, bugs in list permission checks allow users in a multi-user environment to access lists which they don't have authorization to access under different scenarios. This authorization bypass affects multi-user environments with untrusted users, potentially allowing unauthorized data access and modification.
Critical Impact
Users in multi-user listmonk deployments can bypass permission checks to access and potentially modify mailing lists they should not have access to, leading to unauthorized data exposure and potential integrity violations.
Affected Products
- listmonk versions 4.1.0 through 6.0.x
- Self-hosted listmonk multi-user deployments
- Newsletter and mailing list management systems running vulnerable listmonk versions
Discovery Timeline
- 2026-04-02 - CVE-2026-34584 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-34584
Vulnerability Analysis
This vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), a broken access control flaw where the application fails to properly validate user permissions before granting access to protected resources. The vulnerability exists in multiple handlers within the listmonk application, where permission checks were either missing or improperly implemented.
In affected versions, when users interact with campaign and import functionality, the application does not adequately filter list IDs against the current user's permitted lists. This allows authenticated users to reference and access lists belonging to other users or that they otherwise should not have permission to view or manage.
Root Cause
The root cause lies in missing permission validation logic across multiple request handlers in the listmonk codebase. Specifically, the application failed to filter incoming list IDs against the authenticated user's permitted lists before processing requests. The absence of calls to FilterListsByPerm() in critical code paths allowed users to specify arbitrary list IDs in their requests, bypassing the intended access control model.
Attack Vector
The attack requires network access and valid authentication credentials (low-privilege user account) in a multi-user listmonk deployment. An authenticated attacker can exploit this vulnerability by:
- Identifying or guessing list IDs belonging to other users
- Crafting requests that reference these unauthorized list IDs
- Submitting the requests through campaign creation, import, or other affected endpoints
- Gaining unauthorized read or write access to the targeted lists
The security patch adds proper permission filtering by introducing the FilterListsByPerm() function call to validate user permissions:
// Filter lists against the current user's permitted lists.
user := auth.GetUser(c)
o.ListIDs = user.FilterListsByPerm(auth.PermTypeGet|auth.PermTypeManage, o.ListIDs)
Source: GitHub Commit Details
The patch also adds the necessary auth import to the import handler:
"os"
"strings"
"github.com/knadh/listmonk/internal/auth"
"github.com/knadh/listmonk/internal/subimporter"
"github.com/knadh/listmonk/models"
"github.com/labstack/echo/v4"
Source: GitHub Commit Details
Detection Methods for CVE-2026-34584
Indicators of Compromise
- Unusual access patterns where users interact with lists outside their assigned permissions
- API requests containing list IDs that don't belong to the requesting user
- Audit logs showing users accessing or modifying mailing lists they were not explicitly granted access to
- Unexpected changes to subscriber lists or campaign configurations
Detection Strategies
- Review application logs for requests to campaign and import endpoints that reference unauthorized list IDs
- Implement database query monitoring to detect cross-user list access patterns
- Monitor API traffic for anomalous list ID references in multi-user deployments
- Audit user activity reports for permission boundary violations
Monitoring Recommendations
- Enable verbose logging for all list access operations in listmonk
- Implement alerting for users accessing lists outside their permission scope
- Regularly audit user permissions and access patterns in multi-user environments
- Deploy web application firewall rules to log requests with suspicious list ID patterns
How to Mitigate CVE-2026-34584
Immediate Actions Required
- Upgrade listmonk to version 6.1.0 or later immediately
- Audit existing user permissions and list access configurations
- Review access logs for any signs of unauthorized list access
- Consider temporarily restricting multi-user access until patching is complete
Patch Information
The vulnerability has been patched in listmonk version 6.1.0. The fix implements proper permission filtering across multiple handlers by adding calls to user.FilterListsByPerm() to validate that users can only access lists they have explicit permission to view or manage. The security patch is available via the GitHub Release v6.1.0. Additional details are documented in the GitHub Security Advisory GHSA-85j8-5c6w-gcpv.
Workarounds
- Restrict listmonk to single-user mode if upgrading is not immediately possible
- Remove untrusted users from multi-user deployments until the patch is applied
- Implement network-level access controls to limit who can access the listmonk interface
- Deploy a reverse proxy with additional authorization checks for sensitive endpoints
# Upgrade listmonk to patched version
# Stop the current listmonk instance
systemctl stop listmonk
# Download and install version 6.1.0 or later
# Follow official upgrade documentation at https://listmonk.app
# Verify the installed version
listmonk --version
# Restart the service
systemctl start listmonk
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
