CVE-2026-1836

Vulnerability

Redmine versions prior to 6.0.7, 5.1.10, and 5.0.14 store the username and password submitted via the login form in the browser's memory after the request is completed [1]. This vulnerability (CWE-257) occurs because the application does not clear sensitive form data from the rendering context after authentication. No special configuration is required for the code path; any login submission triggers the storage.

Exploitation

An attacker who already has local access to the platform—such as shared workstation access, a compromised user session, or physical access to an unattended browser—can retrieve the stored credentials by navigating back to the login form or inspecting the browser's form history or DOM [1]. No authentication is needed for this retrieval because the data persists post-submission.

Impact

Successful exploitation allows the attacker to disclose the victim's Redmine login credentials (username and password). This information disclosure can enable further unauthorized access to the Redmine instance and potentially to other services if credentials are reused [1].

Mitigation

The Redmine team has fixed this vulnerability in releases 6.0.7, 5.1.10, and 5.0.14 [1]. Users running earlier versions should upgrade immediately. No workarounds are provided in the available reference. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.