A vulnerability classified as problematic has been found in Leantime up to 3.4.4. This affects the function
Users::getUser of the component JSON-RPC API. This manipulation of the argument user ID causes improper authorization.
This vulnerability appears as CVE-2026-59712. The attack may be initiated remotely. There is no available exploit.