Description
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, the configured SMTP server may be spoofed with any certificate (e.g. self-signed), leaving credentials and all emails sent open to MITM attacks. This vulnerability is fixed in 2.10.10 and 2.11.5.
Published: 2026-05-13
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CKAN data management system fails to validate TLS certificates when connecting to an SMTP server. This omission allows an attacker to substitute a self‑signed or otherwise forged certificate so that the system believes it is communicating with a legitimate mail server. As a consequence, all SMTP credentials that CKAN forwards to the server, along with every email it sends, can be harvested by the attacker, exposing confidential data and enabling further phishing or spoofing attacks. The flaw is an instance of certificate validation weakness (CWE‑295).

Affected Systems

CKAN versions earlier than 2.10.10 and 2.11.5 are affected. The vulnerability applies to any deployment of CKAN that uses the default SMTP configuration and does not explicitly enforce certificate verification.

Risk and Exploitability

With a CVSS score of 6.6 the vulnerability represents moderate risk. The EPSS score is not available, and the flaw is not listed in CISA’s KEV catalogue, indicating limited publicly known exploitation. The likely attack path involves an attacker impersonating the SMTP server in the network path between the CKAN instance and the mail host, or compromising DNS to redirect traffic. Because CKAN accepts arbitrary certificates, the attacker can perform a man‑in‑the‑middle attack without needing privileged access to the CKAN server itself.

Generated by OpenCVE AI on May 13, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CKAN to version 2.10.10 or later, or to 2.11.5 or newer, where TLS certificate validation is enabled.
  • Reconfigure the SMTP settings on the CKAN instance to point only to trusted mail servers and enforce certificate verification if supported.
  • Review network and DNS configurations to ensure that mail traffic cannot be redirected to untrusted hosts, and block any unintended outbound SMTP connections.

Generated by OpenCVE AI on May 13, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mpfm-fpgx-647q CKAN has no certificate validation on STMP connection
History

Fri, 15 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Okfn
Okfn ckan
CPEs cpe:2.3:a:okfn:ckan:*:*:*:*:*:*:*:*
Vendors & Products Okfn
Okfn ckan
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Ckan
Ckan ckan
Vendors & Products Ckan
Ckan ckan

Wed, 13 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, the configured SMTP server may be spoofed with any certificate (e.g. self-signed), leaving credentials and all emails sent open to MITM attacks. This vulnerability is fixed in 2.10.10 and 2.11.5.
Title CKAN: No certificate validation on STMP connection
Weaknesses CWE-295
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Ckan Ckan
Okfn Ckan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T15:42:18.881Z

Reserved: 2026-04-17T12:59:15.737Z

Link: CVE-2026-41132

cve-icon Vulnrichment

Updated: 2026-05-14T15:42:10.997Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T19:17:21.553

Modified: 2026-05-15T14:57:57.720

Link: CVE-2026-41132

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T20:30:04Z

Weaknesses