CVE-2026-40174 Overview
CVE-2026-40174 is a Cross-Site Request Forgery (CSRF) vulnerability in Masa CMS, a content management system forked from Mura CMS. The flaw affects versions 7.5.2 and earlier. The cUsers.updateAddress function fails to validate anti-CSRF tokens for user address management operations.
An attacker can induce a logged-in administrator to submit forged requests that add, modify, or delete user address records. Affected data includes email addresses and phone numbers stored in the user directory. The issue maps to CWE-352: Cross-Site Request Forgery.
Critical Impact
Attackers can manipulate administrator sessions to corrupt contact records and redirect organizational communications without direct authentication.
Affected Products
- Masa CMS versions 7.5.0 through 7.5.2
- Masa CMS versions 7.4.0 through 7.4.9
- Masa CMS versions 7.3.0 through 7.3.14 and 7.2.x through 7.2.9
Discovery Timeline
- 2026-05-06 - CVE-2026-40174 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-40174
Vulnerability Analysis
The vulnerability resides in the cUsers.updateAddress function within Masa CMS. The function processes administrative requests for managing user address records but omits anti-CSRF token validation. This allows cross-origin requests to invoke privileged actions when an authenticated administrator visits an attacker-controlled page.
Exploitation requires user interaction. The administrator must have an active authenticated session and be tricked into loading attacker content. Once triggered, the browser submits the forged request with the administrator's session cookies, and the application executes the action as if it were legitimate.
Successful exploitation produces integrity impact on user directory data. Attackers can add fraudulent contact entries, overwrite existing email addresses, change phone numbers, or delete address records. Confidentiality impact is limited to data exposure resulting from redirected communications.
Root Cause
The root cause is missing CSRF token verification on a state-changing endpoint. The application relies solely on session cookies to authorize address modification operations. Browsers automatically attach these cookies to cross-origin requests, which makes the endpoint reachable from any third-party origin.
Attack Vector
The attack vector is network-based and requires no privileges on the target system. An attacker hosts a malicious page containing an auto-submitting form or JavaScript that targets the cUsers.updateAddress endpoint. Social engineering or a watering-hole technique drives the administrator to the page. The vulnerability mechanism follows the standard CSRF pattern described in the GitHub Security Advisory GHSA-572m-p246-4356.
Detection Methods for CVE-2026-40174
Indicators of Compromise
- Unexpected modifications to user address records, including email or phone field changes outside normal administrative workflows.
- HTTP POST requests to the cUsers.updateAddress endpoint with Referer or Origin headers pointing to external domains.
- Audit log entries showing address record creation or deletion that do not correlate with administrator-initiated tasks.
Detection Strategies
- Monitor web server access logs for requests to cUsers.updateAddress and correlate them with the originating Referer header to identify cross-origin submissions.
- Implement application-level logging that records the source IP, session ID, and parameters for every address modification operation.
- Compare administrator session activity timestamps against browser history or SIEM telemetry to identify requests submitted while the user was viewing third-party sites.
Monitoring Recommendations
- Alert on any address record changes that occur outside scheduled maintenance windows or known administrative IP ranges.
- Track baseline rates of address mutations per administrator and flag statistical anomalies for review.
- Forward Masa CMS application logs to a centralized SIEM for correlation with web proxy and endpoint telemetry.
How to Mitigate CVE-2026-40174
Immediate Actions Required
- Upgrade Masa CMS to a fixed release: 7.2.10, 7.3.15, 7.4.10, or 7.5.3.
- Audit the user directory for unauthorized address changes since the last verified backup.
- Force re-authentication for administrative accounts and rotate active session tokens after patching.
Patch Information
Masa CMS maintainers have released patched versions 7.2.10, 7.3.15, 7.4.10, and 7.5.3. The patches add anti-CSRF token validation to the cUsers.updateAddress function. Refer to the GitHub Security Advisory GHSA-572m-p246-4356 for upgrade guidance.
Workarounds
- Restrict access to the administrative backend using IP allowlists or VPN-only access controls.
- Use browser isolation for administrative sessions so that cross-origin requests cannot reach the CMS with valid session cookies.
- Deploy web application firewall rules that block requests to cUsers.updateAddress lacking a same-origin Referer or valid CSRF token.
# Example WAF rule (ModSecurity) blocking cross-origin requests to the affected endpoint
SecRule REQUEST_URI "@contains cUsers.updateAddress" \
"id:1040174,phase:1,deny,status:403,\
chain,msg:'Block cross-origin CSRF attempt on Masa CMS updateAddress'"
SecRule REQUEST_HEADERS:Referer "!@beginsWith https://cms.example.com/"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
