CVE-2026-41255— CKAN: CSRF exemption primed by anonymous requests
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41255
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
CKAN: CSRF exemption primed by anonymous requests
Source: NVD (National Vulnerability Database)
Vulnerability Description
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, Access to the views via tokens or unauthenticated requests marked the endpoint as not requiring CSRF protection. The marking was a member variable in flask-wtf.csrf.CSRFProtect(), which was stored as a module level variable in the flask_app middleware. This API was never intended for request level changes, it is primarily a decorator for static configuration. An unauthenticated request could hit a protected endpoint, exempting it from CSRF protection for the life of the particular server process. (e.g. one worker of uwsgi). This vulnerability is fixed in 2.10.10 and 2.11.5.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
跨站请求伪造(CSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
CKAN 跨站请求伪造漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
CKAN是CKAN开源的一个开源 DMS(数据管理系统)。用于为数据中心和数据门户提供动力。 CKAN 2.10.10之前版本和2.11.5之前版本存在跨站请求伪造漏洞,该漏洞源于通过令牌或未经身份验证的请求访问视图将端点标记为不需要CSRF保护,导致未经身份验证的请求可能命中受保护端点,使其在服务器进程生命周期内免于CSRF保护。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-41255
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41255
请登录查看更多情报信息。
- https://github.com/ckan/ckan/security/advisories/GHSA-mcvf-jxcw-vj73x_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-41255
Same Patch Batch · ckan · 2026-05-13 · 4 CVEs total
| CVE-2026-41132 | CKAN: No certificate validation on STMP connection | |
| CVE-2026-42032 | CKAN: Unauthenticated Authorization Bypass in `datastore_search_sql` | |
| CVE-2026-42031 | CKAN: Unauthenticated SQL Injection and Authorization Bypass in `datastore_search_sql` |
IV. Related Vulnerabilities
Same product: ckan
- CVE-2026-42032
CKAN: Unauthenticated Authorization Bypass in `datastore_sea - CVE-2026-41132
CKAN: No certificate validation on STMP connection - CVE-2026-42031
CKAN: Unauthenticated SQL Injection and Authorization Bypass - CVE-2025-64100
CKAN Vulnerable to Session Cookie Fixation - CVE-2025-54384
CKAN stored XSS vulnerability in Markdown description fields
Same vendor: ckan
- CVE-2026-42032
CKAN: Unauthenticated Authorization Bypass in `datastore_sea - CVE-2026-41132
CKAN: No certificate validation on STMP connection - CVE-2026-42031
CKAN: Unauthenticated SQL Injection and Authorization Bypass - CVE-2025-64100
CKAN Vulnerable to Session Cookie Fixation - CVE-2025-54384
CKAN stored XSS vulnerability in Markdown description fields
Same weakness: CWE-352
- CVE-2018-25334
Zechat 1.5 Cross-Site Request Forgery (CSRF) via hashtag par - CVE-2018-25337
Joomla JoomOCShop 1.0 Cross-Site Request Forgery - CVE-2018-25336
Joomla jCart for OpenCart 2.3.0.2 Cross-Site Request Forgery - CVE-2018-25327
Joomla! Component Js Jobs 1.2.0 Cross-Site Request Forgery - CVE-2018-25321
TP-Link TL-WR720N All Versions CSRF via Administrative Inter
V. Comments for CVE-2026-41255
No comments yet