GHSA-MCVF-JXCW-VJ73

Vulnerability from github – Published: 2026-04-29 20:36 – Updated: 2026-05-14 20:39
VLAI
Summary
CKAN has CSRF exemption primed by anonymous requests
Details

Views can be marked as exempt from CSRF protection

Access to the views via tokens or unauthenticated requests marked the endpoint as not requiring CSRF protection.

The marking was a member variable in flask-wtf.csrf.CSRFProtect(), which was stored as a module level variable in the flask_app middleware. Thsi API was never intended for request level changes, it is primarily a decorator for static configuration.

An unauthenticated request could hit a protected endpoint, exempting it from CSRF protection for the life of the particular server process. (e.g. one worker of uwsgi).

This could be leveraged with XSS to perform actions using other user's credentials.

References

Severity
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ckan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.0"
            },
            {
              "fixed": "2.10.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.11.4"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "ckan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.11.0"
            },
            {
              "fixed": "2.11.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41255"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-29T20:36:07Z",
    "nvd_published_at": "2026-05-13T19:17:22Z",
    "severity": "MODERATE"
  },
  "details": "Views can be marked as exempt from CSRF protection \n\nAccess to the views via tokens or unauthenticated requests marked the endpoint as not requiring CSRF protection. \n\nThe marking was a member variable in flask-wtf.csrf.CSRFProtect(), which was stored as a module level variable in the flask_app middleware. Thsi API was never intended for request level changes, it is primarily a decorator for static configuration. \n\nAn unauthenticated request could hit a protected endpoint, exempting it from CSRF protection for the life of the particular server process. (e.g. one worker of uwsgi).\n\nThis could be leveraged with XSS to perform actions using other user\u0027s credentials.\n\n### References\n\n* [Vulnerability report](https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-41255) by @Shirshaw64p (original reporter)",
  "id": "GHSA-mcvf-jxcw-vj73",
  "modified": "2026-05-14T20:39:41Z",
  "published": "2026-04-29T20:36:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ckan/ckan/security/advisories/GHSA-mcvf-jxcw-vj73"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41255"
    },
    {
      "type": "WEB",
      "url": "https://docs.ckan.org/en/2.10/changelog.html#v-2-10-10-2026-04-29"
    },
    {
      "type": "WEB",
      "url": "https://docs.ckan.org/en/2.11/changelog.html#v-2-11-5-2026-04-29"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-41255"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ckan/ckan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CKAN has CSRF exemption primed by anonymous requests"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.