Skip to main content

CKAN CVE-2026-41255

MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-29 https://github.com/ckan/ckan GHSA-mcvf-jxcw-vj73
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Source Code Evidence Fetched
Apr 29, 2026 - 20:59 vuln.today
Analysis Generated
Apr 29, 2026 - 20:59 vuln.today
Analysis Generated
Apr 29, 2026 - 20:45 vuln.today
CVE Published
Apr 29, 2026 - 20:36 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

Views can be marked as exempt from CSRF protection

Access to the views via tokens or unauthenticated requests marked the endpoint as not requiring CSRF protection.

The marking was a member variable in flask-wtf.csrf.CSRFProtect(), which was stored as a module level variable in the flask_app middleware. Thsi API was never intended for request level changes, it is primarily a decorator for static configuration.

An unauthenticated request could hit a protected endpoint, exempting it from CSRF protection for the life of the particular server process. (e.g. one worker of uwsgi).

This could be leveraged with XSS to perform actions using other user's credentials.

AnalysisAI

CKAN versions 2.10.0 through 2.10.9 and 2.11.0 through 2.11.4 allow unauthenticated requests to permanently disable CSRF protection on endpoints for the lifetime of the server process by triggering a state mutation in the flask-wtf CSRFProtect middleware. Combined with cross-site scripting, an attacker can exploit this to perform authenticated actions using other users' credentials. The vulnerability affects network-accessible CKAN instances with default configurations and has CVSS 6.1 with user interaction required.

Technical ContextAI

CKAN is a data management and publishing platform built on Flask that uses flask-wtf for CSRF protection. The vulnerability stems from improper use of the CSRFProtect class from flask-wtf, where a member variable tracking CSRF exemption status was stored as a module-level variable in the Flask application middleware rather than being request-scoped. The CSRFProtect decorator API was designed for static, application-startup configuration, not dynamic per-request changes. When an unauthenticated or token-authenticated request accesses a protected endpoint, the exemption flag persists across subsequent requests in the same worker process (relevant for multi-process servers like uWSGI), effectively disabling CSRF validation for all following requests in that process. This violates the principle that CSRF exemptions should be declaratively set at route definition time, not mutated by request handling logic. The root cause is CWE-352 (Cross-Site Request Forgery), compounded by improper state management in a shared middleware object.

RemediationAI

Upgrade CKAN to version 2.10.10 or later if currently on the 2.10.x branch, or to version 2.11.5 or later if on the 2.11.x branch. Upgrade instructions are available at https://docs.ckan.org/en/2.10/changelog.html#v-2-10-10-2026-04-29 and https://docs.ckan.org/en/2.11/changelog.html#v-2-11-5-2026-04-29 respectively. For organizations unable to patch immediately, implement the following compensating controls: (1) Deploy CKAN using a single-process model or with process isolation such that each worker process handles a limited set of requests before recycling - this limits the duration an exemption flag remains active; (2) restrict network access to CKAN endpoints at the load balancer or firewall level to authenticated IP ranges only, reducing exposure to anonymous request triggering; (3) conduct an urgent security audit for cross-site scripting vulnerabilities in CKAN templates and custom plugins, as XSS is the necessary delivery vector for exploiting the CSRF exemption; (4) implement a Web Application Firewall to detect and block suspicious patterns combining CSRF token reuse with XSS payloads. Note that these controls do not fix the underlying defect and should be considered temporary measures pending patching.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-41255 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy