Description
Cross Site Request Forgery vulnerability in Squidex.io Squidex CMS v.7.21.0 and before allows a remote attacker to escalate privileges via the IdentityServer account profile endpoint
Published: 2026-06-29
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery flaw exists within the Account Profile endpoint of Squidex CMS that lets a remote attacker leverage the victim's authenticated session to elevate privileges. The endpoint accepts requests without adequate anti‑forgery validation, allowing malicious actors to modify account settings or assign administrative roles. This directly compromises the integrity and confidentiality of the system by granting unauthorized users elevated access.

Affected Systems

The vulnerability affects Squidex CMS version 7.21.0 and all earlier releases. No other vendors or products are listed as affected, and the problem is confined to the IdentityServer component of Squidex.

Risk and Exploitability

The EPSS score is not available and the issue is not listed in CISA KEV, but the nature of the flaw—CSRF with privilege escalation—indicates a high likelihood of exploitation against authenticated users. Attackers can craft a forged request that the victim’s browser will submit automatically, bypassing normal authorization checks. In the absence of a publicly released patch, the risk remains elevated until the software is updated or mitigated by additional controls.

Generated by OpenCVE AI on June 29, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available patch or upgrade to a newer Squidex CMS version that addresses this vulnerability
  • Implement CSRF protection on the IdentityServer account profile endpoint, ensuring that anti‑forgery tokens are required and validated
  • Enforce strict role‑based access control so that only users with administrative privileges can access and alter account profiles

Generated by OpenCVE AI on June 29, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title Cross‑Site Request Forgery Enabling Privilege Escalation in Squidex CMS
Weaknesses CWE-285

Mon, 29 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description Cross Site Request Forgery vulnerability in Squidex.io Squidex CMS v.7.21.0 and before allows a remote attacker to escalate privileges via the IdentityServer account profile endpoint
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-29T20:39:16.456Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31016

cve-icon Vulnrichment

Updated: 2026-06-29T20:39:11.649Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T22:00:05Z

Weaknesses
  • CWE-285

    Improper Authorization

  • CWE-352

    Cross-Site Request Forgery (CSRF)