CVE-2026-41255 Overview
CKAN is an open-source data management system (DMS) used to power data hubs and data portals. CVE-2026-41255 affects CKAN versions prior to 2.10.10 and 2.11.5. The vulnerability allows an unauthenticated attacker to permanently disable Cross-Site Request Forgery (CSRF) protection on a protected endpoint for the lifetime of a server worker process. The flaw stems from improper use of flask-wtf.csrf.CSRFProtect() as a module-level variable in the flask_app middleware. A single unauthenticated request to a protected endpoint exempts that endpoint from CSRF protection across all subsequent requests handled by the same worker [CWE-352].
Critical Impact
An unauthenticated request can permanently disable CSRF protection on a CKAN endpoint for the lifetime of a uWSGI worker process, exposing authenticated users to CSRF attacks.
Affected Products
- CKAN versions prior to 2.10.10
- CKAN versions prior to 2.11.5 (2.11.x branch)
- Deployments serving views via tokens or unauthenticated requests
Discovery Timeline
- 2026-05-13 - CVE-2026-41255 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-41255
Vulnerability Analysis
The vulnerability resides in how CKAN integrates flask-wtf.csrf.CSRFProtect() within its flask_app middleware. CKAN marks endpoints as exempt from CSRF protection when they are accessed via tokens or unauthenticated requests. This exemption is recorded by mutating a member variable on the CSRFProtect() instance. The CSRFProtect() instance itself is held as a module-level singleton.
Flask-WTF's exemption API was designed as a decorator for static, application-startup configuration. CKAN repurposed it for per-request decisions. Because the exemption state is stored at module scope, any change persists for the lifetime of the Python process. One worker process retains the exempt state across all later requests it handles.
The practical consequence is endpoint-wide CSRF bypass. An unauthenticated attacker can poison a worker by sending a single request to a token-authenticated view. The targeted endpoint then accepts cross-site requests from authenticated users until the worker restarts [CWE-352].
Root Cause
The root cause is misuse of the flask-wtf CSRF exemption mechanism as runtime, request-scoped state. The exemption is stored on a shared instance rather than within request-local context. Process-level mutation by an unauthenticated caller affects all subsequent requests served by that worker.
Attack Vector
The attack vector is network-based and requires no authentication. The attacker sends a request to a view configured for token or unauthenticated access. That request marks the endpoint as CSRF-exempt. The attacker then lures an authenticated CKAN user to visit a malicious page, which submits a forged state-changing request to the now-unprotected endpoint. User interaction is required to complete the second stage of the chain.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-mcvf-jxcw-vj73 and the GitHub CVE-2026-41255 Advisory for technical details.
Detection Methods for CVE-2026-41255
Indicators of Compromise
- Unauthenticated requests to CKAN view endpoints that normally serve token-authenticated clients, followed shortly by state-changing requests from authenticated session cookies.
- Cross-origin POST, PUT, or DELETE requests to CKAN endpoints lacking valid CSRF tokens that are nonetheless accepted by the application.
- Referer or Origin headers on state-changing requests that do not match the CKAN deployment hostname.
Detection Strategies
- Inspect reverse proxy and uWSGI access logs for unauthenticated requests to endpoints decorated for token access, then correlate with later authenticated mutations on the same worker.
- Compare CKAN versions deployed across the estate against the fixed versions 2.10.10 and 2.11.5 using software inventory data.
- Review web application firewall (WAF) telemetry for state-changing requests missing the expected X-CSRFToken header or csrf_token form field.
Monitoring Recommendations
- Track CKAN application logs for CSRF validation failures and for any drop in CSRF rejection rates after deployment events.
- Alert on access patterns where a single uWSGI worker handles unauthenticated token-endpoint traffic followed by authenticated write operations.
- Forward CKAN, uWSGI, and reverse proxy logs to a centralized analytics platform for cross-source correlation.
How to Mitigate CVE-2026-41255
Immediate Actions Required
- Upgrade CKAN to version 2.10.10 for the 2.10.x branch or 2.11.5 for the 2.11.x branch.
- Restart all uWSGI workers after upgrading to clear any poisoned process-level state.
- Audit custom CKAN extensions for additional uses of CSRFProtect() exemption APIs outside of startup configuration.
Patch Information
The vulnerability is fixed in CKAN 2.10.10 and 2.11.5. The patch removes the misuse of flask-wtf.csrf.CSRFProtect() member state for per-request exemption decisions. Refer to the GitHub Security Advisory GHSA-mcvf-jxcw-vj73 for the upstream fix details.
Workarounds
- Restrict access to token-authenticated and unauthenticated view endpoints at the reverse proxy until patching is complete.
- Configure the reverse proxy or WAF to require a matching Origin or Referer header on all state-changing requests to CKAN.
- Schedule frequent uWSGI worker recycling to shorten the window in which a poisoned worker can accept forged requests.
# Example: recycle uWSGI workers frequently to limit exposure window
# /etc/uwsgi/ckan.ini
[uwsgi]
max-requests = 200
max-worker-lifetime = 600
harakiri = 50
reload-on-rss = 256
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
