CKAN CVE-2026-41132
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
Impact
Configured SMTP server may be spoofed with any certificate (e.g. self-signed), leaving credentials and all emails sent open to MITM attacks.
Patches
The vulnerability has been patched in CKAN 2.10.10 and CKAN 2.11.5
AnalysisAI
CKAN fails to validate SMTP server certificates, allowing attackers to spoof the configured mail server with any certificate including self-signed ones and intercept SMTP credentials and email content via man-in-the-middle attack. Versions below 2.10.10 and 2.11.0 through 2.11.4 are affected. Vendor-released patches are available in CKAN 2.10.10 and 2.11.5.
Technical ContextAI
CKAN is a data management platform written in Python that uses SMTP for email notifications. The vulnerability exists in the SMTP client implementation, which establishes TLS connections to configured mail servers without performing certificate validation. This violates CWE-295 (Improper Certificate Validation), a critical class of vulnerability that undermines the entire purpose of SMTP's STARTTLS or implicit TLS encryption. An attacker positioned on the network path between CKAN and the SMTP server can present any certificate (including self-signed) and the CKAN application will accept it, believing the connection is secure when it is not. This is a classic TLS implementation flaw where the certificate chain is not verified against a trusted root CA store, leaving the SMTP authentication credentials and all email content transmitted in plaintext from the attacker's perspective.
RemediationAI
Upgrade CKAN to version 2.10.10 or later (if on the 2.10 branch) or to version 2.11.5 or later (if on the 2.11 branch). These patched versions implement proper SMTP certificate validation, preventing spoofing attacks. The upgrade process is documented in the CKAN changelog at https://docs.ckan.org/en/2.10/changelog.html#v-2-10-10-2026-04-29. For organizations unable to patch immediately, compensating controls include: (1) restricting network access to the SMTP server using firewall rules or network segmentation to trusted hosts only-this eliminates the network adjacency required for a MITM attack but requires careful network architecture; (2) configuring CKAN to use an SMTP server on localhost or a directly-connected, hardened mail relay to minimize the attack surface, though this may not be feasible in all deployments; (3) monitoring SMTP connections for unexpected certificates or connection attempts, though this is reactive rather than preventive. None of these workarounds are as effective as applying the patch, which is the recommended primary action.
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-mpfm-fpgx-647q