CVE-2026-39912 — AI Deep Analysis Summary

🚨 **Essence**: V2Board/Xboard leaks auth tokens in HTTP responses. 💥 **Consequence**: Unauthenticated attackers can hijack accounts and gain full control. It's a critical data exposure flaw.

🛡️ **CWE**: CWE-201 (Information Exposure Through Sent Data).…

📦 **Affected**: V2Board versions **1.6.1 to 1.7.4**. 📦 **Also Affected**: Xboard versions **0.1.9 and earlier**. 🏢 **Vendor**: v2board / cedar2025.

🔓 **Privileges**: Full account takeover. 📂 **Data**: Access to all user data, subscription configs, and panel settings. No login required for the attacker to exploit the leaked token.

📉 **Threshold**: LOW. 🚫 **Auth**: No authentication needed to trigger the vulnerability. ⚙️ **Config**: Requires the victim to use the 'Login with Mail Link' feature, which is a standard admin/user action.

🔍 **Exploit Status**: Public technical descriptions exist (e.g., chocapikk.com). 📝 **PoC**: Specific code references provided in GitHub issues. Wild exploitation is likely possible given the low barrier.

🔎 **Check**: Scan for V2Board/Xboard instances. 📡 **Test**: Trigger a `loginWithMailLink` request and inspect the HTTP response body for exposed JWT/Auth tokens. Look for sensitive data in plain text responses.

✅ **Fixed**: Yes. PR #981 on GitHub addresses the issue. 📅 **Published**: Advisory released on 2026-04-09. Users should update to patched versions immediately.

🛡️ **Workaround**: Disable the `loginWithMailLink` feature if possible. 🚫 **Mitigation**: Implement strict response filtering to prevent token leakage. Monitor logs for unusual auth token exposures.

🔥 **Priority**: CRITICAL. 🚨 **Urgency**: High. CVSS Score indicates High Confidentiality and Integrity impact. Immediate patching is required to prevent account takeovers.