VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-aard-5zu9-8udg

Essentials
Severities (16)
References (8)
Severity details (14)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-aard-5zu9-8udg
Aliases	CVE-2026-41255 GHSA-mcvf-jxcw-vj73
Summary	CKAN has CSRF exemption primed by anonymous requests Views can be marked as exempt from CSRF protection Access to the views via tokens or unauthenticated requests marked the endpoint as not requiring CSRF protection. The marking was a member variable in flask-wtf.csrf.CSRFProtect(), which was stored as a module level variable in the flask_app middleware. Thsi API was never intended for request level changes, it is primarily a decorator for static configuration. An unauthenticated request could hit a protected endpoint, exempting it from CSRF protection for the life of the particular server process. (e.g. one worker of uwsgi). This could be leveraged with XSS to perform actions using other user's credentials. ### References * [Vulnerability report](https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-41255) by @Shirshaw64p (original reporter)
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-352	Cross-Site Request Forgery (CSRF)
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	5e-05	https://api.first.org/data/v1/epss?cve=CVE-2026-41255
epss	5e-05	https://api.first.org/data/v1/epss?cve=CVE-2026-41255
cvssv3.1	6.1	https://docs.ckan.org/en/2.10/changelog.html#v-2-10-10-2026-04-29
generic_textual	MODERATE	https://docs.ckan.org/en/2.10/changelog.html#v-2-10-10-2026-04-29
cvssv3.1	6.1	https://docs.ckan.org/en/2.11/changelog.html#v-2-11-5-2026-04-29
generic_textual	MODERATE	https://docs.ckan.org/en/2.11/changelog.html#v-2-11-5-2026-04-29
cvssv3.1	6.1	https://github.com/ckan/ckan
generic_textual	MODERATE	https://github.com/ckan/ckan
cvssv3.1	6.1	https://github.com/ckan/ckan/security/advisories/GHSA-mcvf-jxcw-vj73
generic_textual	MODERATE	https://github.com/ckan/ckan/security/advisories/GHSA-mcvf-jxcw-vj73
ssvc	Track	https://github.com/ckan/ckan/security/advisories/GHSA-mcvf-jxcw-vj73
cvssv3.1	6.1	https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-41255
generic_textual	MODERATE	https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-41255
ssvc	Track	https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-41255
cvssv3.1	6.1	https://nvd.nist.gov/vuln/detail/CVE-2026-41255
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2026-41255

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2026-41255
		https://docs.ckan.org/en/2.10/changelog.html#v-2-10-10-2026-04-29
		https://docs.ckan.org/en/2.11/changelog.html#v-2-11-5-2026-04-29
		https://github.com/ckan/ckan
		https://github.com/ckan/ckan/security/advisories/GHSA-mcvf-jxcw-vj73
		https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-41255
		https://nvd.nist.gov/vuln/detail/CVE-2026-41255
GHSA-mcvf-jxcw-vj73		https://github.com/advisories/GHSA-mcvf-jxcw-vj73

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://docs.ckan.org/en/2.10/changelog.html#v-2-10-10-2026-04-29

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://docs.ckan.org/en/2.11/changelog.html#v-2-11-5-2026-04-29

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/ckan/ckan

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/ckan/ckan/security/advisories/GHSA-mcvf-jxcw-vj73

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T12:44:10Z/ Found at https://github.com/ckan/ckan/security/advisories/GHSA-mcvf-jxcw-vj73

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-41255

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-14T12:44:10Z/ Found at https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-41255

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-41255

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.00226
EPSS Score	5e-05
Published At	June 5, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-04T16:52:55.911435+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mcvf-jxcw-vj73/GHSA-mcvf-jxcw-vj73.json	38.6.0