From 121511523f04882ec0c7447acd9b8ebcb8a47957 Mon Sep 17 00:00:00 2001
From: Valentin Lobstein <88535377+Chocapikk@users.noreply.github.com>
Date: Thu, 9 Apr 2026 20:44:20 +0200
Subject: [PATCH] Fix: CVE-2026-39912 - Magic link token leak in
 loginWithMailLink (#873)

The loginWithMailLink endpoint returns the magic login link in the
HTTP response body, allowing unauthenticated account takeover.

The fix returns true instead of the link. The email delivery is
the authentication factor.

Bug inherited from V2Board commit bdb10bed (2022-06-27).
---
 app/Services/Auth/MailLinkService.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/Services/Auth/MailLinkService.php b/app/Services/Auth/MailLinkService.php
index 259ced7..ecf7c6d 100644
--- a/app/Services/Auth/MailLinkService.php
+++ b/app/Services/Auth/MailLinkService.php
@@ -46,7 +46,7 @@ class MailLinkService
 
         $this->sendMailLinkEmail($user, $link);
 
-        return [true, $link];
+        return [true, true];
     }
 
     /**