Description
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, Access to the views via tokens or unauthenticated requests marked the endpoint as not requiring CSRF protection. The marking was a member variable in flask-wtf.csrf.CSRFProtect(), which was stored as a module level variable in the flask_app middleware. This API was never intended for request level changes, it is primarily a decorator for static configuration. An unauthenticated request could hit a protected endpoint, exempting it from CSRF protection for the life of the particular server process. (e.g. one worker of uwsgi). This vulnerability is fixed in 2.10.10 and 2.11.5.
Published: 2026-05-13
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs when an unauthenticated request can modify the CSRF exemption state of a protected endpoint in CKAN. This allows an attacker to bypass the CSRF protection on subsequent requests from the same server process, potentially enabling non‑authenticated malicious actions such as data updates or deletions. The weakness is a classic CSRF bypass, identified as CWE‑352, and it can compromise the integrity of data managed by CKAN.

Affected Systems

CKAN from the community is affected. Versions prior to 2.10.10 and 2.11.5 are vulnerable, but the CVE data lacks a precise list of affected build identifiers. Administrators should verify if their CKAN installation runs any of these older releases.

Risk and Exploitability

With a CVSS score of 6.1 the vulnerability is considered moderate. The EPSS score is not available, and it is not listed in the CISA KEV catalog, indicating no confirmed public exploitation yet. An attacker can trigger the vulnerability by sending a simple unauthenticated HTTP request targeting a protected endpoint; once the endpoint is marked as exempt from CSRF protection for that server process, subsequent requests (even from other users) can be submitted without the required CSRF token. This makes the exploitation straightforward and potentially impactful if the endpoint performs sensitive operations.

Generated by OpenCVE AI on May 13, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CKAN to version 2.10.10 or 2.11.5 or later; the fix removes the ability to exempt endpoints via unauthenticated requests.
  • Disable any anonymous access to endpoints that require CSRF protection to avoid accidental priming.
  • Verify that all protected endpoints have CSRF protection enabled after deployment by reviewing the CSRF configuration in the CKAN middleware.

Generated by OpenCVE AI on May 13, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mcvf-jxcw-vj73 CKAN has CSRF exemption primed by anonymous requests
History

Fri, 15 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Okfn
Okfn ckan
CPEs cpe:2.3:a:okfn:ckan:*:*:*:*:*:*:*:*
Vendors & Products Okfn
Okfn ckan

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Ckan
Ckan ckan
Vendors & Products Ckan
Ckan ckan

Wed, 13 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, Access to the views via tokens or unauthenticated requests marked the endpoint as not requiring CSRF protection. The marking was a member variable in flask-wtf.csrf.CSRFProtect(), which was stored as a module level variable in the flask_app middleware. This API was never intended for request level changes, it is primarily a decorator for static configuration. An unauthenticated request could hit a protected endpoint, exempting it from CSRF protection for the life of the particular server process. (e.g. one worker of uwsgi). This vulnerability is fixed in 2.10.10 and 2.11.5.
Title CKAN: CSRF exemption primed by anonymous requests
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Ckan Ckan
Okfn Ckan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T12:44:14.133Z

Reserved: 2026-04-18T14:01:46.800Z

Link: CVE-2026-41255

cve-icon Vulnrichment

Updated: 2026-05-14T12:44:02.090Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T19:17:22.127

Modified: 2026-05-15T14:58:38.867

Link: CVE-2026-41255

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T20:30:04Z

Weaknesses