CVE-2026-55741: Cotonti CMS CSRF Vulnerability

CVE-2026-55741 Overview

CVE-2026-55741 is a Cross-Site Request Forgery (CSRF) vulnerability in Cotonti 1.0.0 (master branch, commit f43f1fc3). The flaw resides in the administration configuration handler at system/admin/admin.config.php, where the a=update action processes POST data through cot_config_update_options() without invoking cot_check_xg() to validate the anti-CSRF token. An attacker who tricks an authenticated administrator into visiting a malicious page can force the browser to submit a forged request that modifies arbitrary core, module, or plugin configuration options [CWE-352].

Critical Impact
Successful exploitation allows silent modification of Cotonti configuration values, weakening platform security controls and enabling follow-on compromise of the affected installation.

Affected Products

Cotonti 1.0.0 (master branch)
Commit f43f1fc3 (f43f1fc38ba4e02027786dad9dac1435c7c52b30)
system/admin/admin.config.php configuration handler

Discovery Timeline

2026-06-18 - CVE-2026-55741 published to NVD
2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-55741

Vulnerability Analysis

The vulnerability stems from inconsistent CSRF protection across Cotonti's admin handlers. Sibling administrative endpoints such as admin.structure.php and admin.cache.php correctly call cot_check_xg() to validate the x parameter, which carries the anti-CSRF token. The configuration handler admin.config.php omits this check before dispatching the a=update action to cot_config_update_options().

Because the function trusts incoming POST data without verifying request origin, any state-changing request that reaches the endpoint with an authenticated administrator session is processed. The browser automatically attaches the administrator's session cookies to cross-origin POST submissions, satisfying the only authentication requirement the handler enforces.

The missing token validation maps to [CWE-352] (Cross-Site Request Forgery). The vulnerability requires user interaction from an administrator, but no special privileges or prior reconnaissance on the attacker's side.

Root Cause

The root cause is a missing call to cot_check_xg() inside the update branch of system/admin/admin.config.php. The function cot_config_update_options() writes incoming option values directly to persistent configuration storage. Without the token check, the server cannot distinguish between a legitimate admin form submission and a forged cross-site request.

Attack Vector

An attacker hosts a malicious page containing an auto-submitting HTML form or fetch() call that targets admin.config.php?a=update on the victim's Cotonti site. When an authenticated administrator visits the page, the browser submits the request with valid session cookies. The handler processes the POST body and overwrites configuration entries chosen by the attacker, such as security-relevant flags, plugin parameters, or module settings that can be leveraged for further compromise.

No verified public exploit code is available. See the Cotonti repository and the vulnerable configuration handler source for technical context.

Detection Methods for CVE-2026-55741

Indicators of Compromise

POST requests to admin.config.php?a=update lacking a valid x token parameter or with a Referer/Origin header pointing outside the site's own domain.
Unexpected modifications in the Cotonti configuration tables, particularly to security, authentication, or plugin-related options.
Administrator browser history showing visits to untrusted pages immediately before configuration changes.

Detection Strategies

Audit web server access logs for POST requests to system/admin/admin.config.php and correlate with administrator session activity and Referer headers.
Enable database-level change auditing on the cot_config table to capture timestamped writes and the responsible session.
Deploy a web application firewall rule that flags state-changing requests to admin endpoints when the Origin header does not match the application host.

Monitoring Recommendations

Alert on configuration option changes occurring outside of declared maintenance windows.
Monitor for administrator sessions that perform configuration updates immediately after navigating from external referrers.
Track failed and successful admin authentications alongside configuration writes to build a baseline of legitimate change activity.

How to Mitigate CVE-2026-55741

Immediate Actions Required

Restrict access to the Cotonti administrative interface using IP allow-listing or VPN-only access until a patched version is deployed.
Instruct administrators to log out of Cotonti before browsing untrusted sites and to use a dedicated browser profile for administrative work.
Review the cot_config table for unexpected changes and restore known-good values where modifications cannot be attributed to legitimate activity.

Patch Information

No official fixed release is referenced in the published advisory. Maintainers should add a cot_check_xg('config') (or equivalent) call to the a=update branch of system/admin/admin.config.php before invoking cot_config_update_options(), mirroring the pattern already used in admin.structure.php and admin.cache.php. Track the Cotonti GitHub repository for upstream commits that address the missing token validation.

Workarounds

Apply a local patch that inserts an anti-CSRF token check at the top of the update action in system/admin/admin.config.php.
Configure a reverse proxy or WAF to require a matching Origin or Referer header on POST requests to admin.config.php.
Enforce SameSite=Strict on the Cotonti session cookie to prevent it from being attached to cross-site POST requests.

bash

# Example nginx rule restricting cross-origin POSTs to the admin handler
location ~ /system/admin/admin\.config\.php$ {
    if ($request_method = POST) {
        set $bad_origin 1;
        if ($http_origin = "https://your-cotonti-host.example") { set $bad_origin 0; }
        if ($bad_origin = 1) { return 403; }
    }
}