Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Stored credentials in Redmine

Posted date 31/03/2026
Identificador
INCIBE-2026-245
Importance
3 - Medium
Affected Resources

Redmine all versions prior to 6.0.7, 5.1.10 and 5.0.14.

Description

INCIBE has coordinated the publication of a médium-severity vulnerability affecting Redmine login form, a flexible project management web application. The vulnerability was discovered by David Rubio Lora.

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:

  • CVE-2026-1836: CVSS v4.0: 5.3 | CVSS AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N | CWE-257
Solution

The vulnerability has been fixed by Redmine team in versions 6.0.7, 5.1.10 and 5.0.14.

Detail

CVE-2026-1836: the system stores the username and password from the login form after submitting the request. This could allow an attacker with access to the platform to return to the browser and view the login credentials.

CVE
Identificador CVE Severidad Explotación Fabricante
CVE-2026-1836 Media No Redmine
References list
Página web de Redmine
Etiquetas