CVE-2026-41255

Published: May 13, 2026

Modified: May 14, 2026

PUBLISHED

CVSS v3.1

6.1

MEDIUM

Description

CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, Access to the views via tokens or unauthenticated requests marked the endpoint as not requiring CSRF protection. The marking was a member variable in flask-wtf.csrf.CSRFProtect(), which was stored as a module level variable in the flask_app middleware. This API was never intended for request level changes, it is primarily a decorator for static configuration. An unauthenticated request could hit a protected endpoint, exempting it from CSRF protection for the life of the particular server process. (e.g. one worker of uwsgi). This vulnerability is fixed in 2.10.10 and 2.11.5.

Vendor	Product	Versions
ckan	ckan	affected `>= 2.11.0, < 2.11.5` affected `< 2.10.10`

Weaknesses (CWE)

CWE-352

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/ckan/ckan/security/advisories/GHSA-mcvf-jxcw-vj73

x_refsource_CONFIRM

https://github.com/Shirshaw64p/security-advisories/tree/main/CVE-2026-41255

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-41255

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References