Skip to main content

CKAN CVE-2026-41132

MEDIUM
Improper Certificate Validation (CWE-295)
2026-04-29 https://github.com/ckan/ckan GHSA-mpfm-fpgx-647q
6.6
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
CVSS changed
May 13, 2026 - 19:22 NVD
6.6 (MEDIUM)
Source Code Evidence Fetched
Apr 29, 2026 - 20:59 vuln.today
Analysis Generated
Apr 29, 2026 - 20:59 vuln.today
Analysis Generated
Apr 29, 2026 - 20:45 vuln.today
CVE Published
Apr 29, 2026 - 20:33 nvd
MEDIUM

DescriptionGitHub Advisory

Impact

Configured SMTP server may be spoofed with any certificate (e.g. self-signed), leaving credentials and all emails sent open to MITM attacks.

Patches

The vulnerability has been patched in CKAN 2.10.10 and CKAN 2.11.5

AnalysisAI

CKAN fails to validate SMTP server certificates, allowing attackers to spoof the configured mail server with any certificate including self-signed ones and intercept SMTP credentials and email content via man-in-the-middle attack. Versions below 2.10.10 and 2.11.0 through 2.11.4 are affected. Vendor-released patches are available in CKAN 2.10.10 and 2.11.5.

Technical ContextAI

CKAN is a data management platform written in Python that uses SMTP for email notifications. The vulnerability exists in the SMTP client implementation, which establishes TLS connections to configured mail servers without performing certificate validation. This violates CWE-295 (Improper Certificate Validation), a critical class of vulnerability that undermines the entire purpose of SMTP's STARTTLS or implicit TLS encryption. An attacker positioned on the network path between CKAN and the SMTP server can present any certificate (including self-signed) and the CKAN application will accept it, believing the connection is secure when it is not. This is a classic TLS implementation flaw where the certificate chain is not verified against a trusted root CA store, leaving the SMTP authentication credentials and all email content transmitted in plaintext from the attacker's perspective.

RemediationAI

Upgrade CKAN to version 2.10.10 or later (if on the 2.10 branch) or to version 2.11.5 or later (if on the 2.11 branch). These patched versions implement proper SMTP certificate validation, preventing spoofing attacks. The upgrade process is documented in the CKAN changelog at https://docs.ckan.org/en/2.10/changelog.html#v-2-10-10-2026-04-29. For organizations unable to patch immediately, compensating controls include: (1) restricting network access to the SMTP server using firewall rules or network segmentation to trusted hosts only-this eliminates the network adjacency required for a MITM attack but requires careful network architecture; (2) configuring CKAN to use an SMTP server on localhost or a directly-connected, hardened mail relay to minimize the attack surface, though this may not be feasible in all deployments; (3) monitoring SMTP connections for unexpected certificates or connection attempts, though this is reactive rather than preventive. None of these workarounds are as effective as applying the patch, which is the recommended primary action.

Share

CVE-2026-41132 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy