CVE-2026-41255

Name of the Vulnerable Software and Affected Versions CKAN versions prior to 2.10.10 CKAN versions prior to 2.11.5

Description Accessing views via tokens or unauthenticated requests can mark an endpoint as not requiring Cross-Site Request Forgery (CSRF) protection. This occurs because the marking is a member variable in flask-wtf.csrf.CSRFProtect(), stored as a module-level variable in the flask app middleware. Since this API is intended for static configuration rather than request-level changes, an unauthenticated request can exempt a protected endpoint from CSRF protection for the duration of the server process. This behavior could be leveraged alongside Cross-Site Scripting (XSS) to perform actions using the credentials of other users.

Recommendations Update to version 2.10.10. Update to version 2.11.5.