V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
Present
Additional conditions required
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
References 8
https://chocapikk.com/posts/2026/xboard-v2board-account-takeover/
disclosure@vulncheck.com
https://github.com/cedar2025/Xboard/blob/1fe6531924cc1ec662a88b9ef725afcf78d660…
disclosure@vulncheck.com
https://github.com/cedar2025/Xboard/blob/1fe6531924cc1ec662a88b9ef725afcf78d660…
disclosure@vulncheck.com
https://github.com/cedar2025/Xboard/commit/121511523f04882ec0c7447acd9b8ebcb8a4…
disclosure@vulncheck.com
https://github.com/cedar2025/Xboard/pull/873
disclosure@vulncheck.com
https://github.com/v2board/v2board/blob/0ca47622a50116d0ddd7ffb316b157afb57d25e…
disclosure@vulncheck.com
https://github.com/v2board/v2board/pull/981
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/v2board-xboard-authentication-token-exposu…
disclosure@vulncheck.com