CVE-2026-55744: Cotonti PFS Module CSRF Vulnerability

CVE-2026-55744 Overview

CVE-2026-55744 is a Cross-Site Request Forgery (CSRF) vulnerability in Cotonti 1.0.0 (master branch, commit f43f1fc3). The flaw resides in the Personal File Storage (PFS) module at modules/pfs/inc/pfs.main.php. The file upload action (a=upload) processes uploaded files without invoking cot_check_xg() to validate the anti-CSRF token. Sibling actions such as delete correctly enforce token validation, making this an inconsistency in the module's security controls. An attacker who lures an authenticated user to a malicious page can force the browser to upload arbitrary files into the victim's PFS storage [CWE-352].

Critical Impact
Authenticated users visiting attacker-controlled pages can have arbitrary files uploaded into their personal storage without consent, enabling content planting and downstream abuse.

Affected Products

Cotonti 1.0.0 (master branch, commit f43f1fc38ba4e02027786dad9dac1435c7c52b30)
Cotonti PFS module (modules/pfs/inc/pfs.main.php)
Deployments running the affected commit without backported CSRF checks

Discovery Timeline

2026-06-18 - CVE-2026-55744 published to NVD
2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-55744

Vulnerability Analysis

The Cotonti PFS module dispatches actions based on the a parameter. Each action should validate a CSRF token using cot_check_xg() before performing state-changing operations. The delete action at line 272 follows this pattern correctly. The upload action at line 118 omits the token check entirely. This omission breaks the security boundary expected for write operations against the authenticated user's storage area.

Because the upload handler accepts standard multipart form submissions, any cross-origin HTML form that targets the PFS endpoint will execute with the victim's session cookies attached. The server treats the request as legitimate and writes the attacker-supplied file into the victim's PFS directory.

Root Cause

The root cause is a missing call to cot_check_xg() inside the a=upload branch of pfs.main.php. The PFS module assumes that authenticated session context is sufficient authorization for write operations. Authentication and intent are conflated, which is the precise failure mode described by CWE-352. The inconsistency with the delete branch shows this is an oversight rather than an architectural decision.

Attack Vector

Exploitation requires an authenticated Cotonti user to load attacker-controlled HTML in the same browser session. The malicious page hosts a hidden form with enctype="multipart/form-data" that POSTs to the Cotonti PFS upload endpoint. JavaScript on the page submits the form automatically. The victim's browser attaches session cookies, and Cotonti processes the upload as if the user initiated it. The attacker can specify the filename, MIME type, and content, allowing arbitrary file placement under the victim's PFS namespace. See the Cotonti source file for the affected handler.

No code example is published with this advisory. Refer to the Cotonti repository for handler context.

Detection Methods for CVE-2026-55744

Indicators of Compromise

PFS upload requests where the HTTP Referer or Origin header points to a domain outside the Cotonti site
Unexpected files appearing in user PFS directories without corresponding user-initiated upload events in application logs
Multipart POST requests to the PFS endpoint with a=upload lacking the expected x anti-CSRF token parameter

Detection Strategies

Inspect web server access logs for POST requests to /?e=pfs&a=upload with foreign Origin headers
Correlate file creation events in PFS storage paths against authenticated session activity to surface uploads without matching user interaction
Deploy a Web Application Firewall (WAF) rule that flags multipart submissions to the PFS upload action missing a valid CSRF token field

Monitoring Recommendations

Enable verbose logging on the PFS module to record the source, size, and filename of every upload
Alert on bursts of uploads to a single user's PFS directory within a short time window
Monitor outbound links posted in forums or comments that reference attacker-staged exploitation pages

How to Mitigate CVE-2026-55744

Immediate Actions Required

Patch modules/pfs/inc/pfs.main.php to invoke cot_check_xg() at the top of the a=upload branch, matching the pattern used by the delete action
Audit all other PFS actions and any custom modules for missing cot_check_xg() calls on state-changing requests
Force-expire active user sessions after applying the fix to invalidate any in-flight CSRF attempts

Patch Information

No upstream fix is referenced in the published advisory. Administrators should track the Cotonti GitHub repository for a commit that adds the missing CSRF check to the upload handler. Until an official release is available, apply the local source modification described above.

Workarounds

Disable the PFS module in cotonti configuration until a patched version is deployed
Configure the web server or reverse proxy to reject POSTs to the PFS upload endpoint when Origin or Referer does not match the site's own hostname
Set the session cookie SameSite attribute to Strict or Lax to block cross-site cookie attachment for upload requests

bash

# Example nginx rule to enforce same-origin POSTs to the PFS upload endpoint
location / {
    if ($request_method = POST) {
        set $bad_origin 1;
        if ($http_origin ~* "^https?://your-cotonti-site\.example$") {
            set $bad_origin 0;
        }
        if ($arg_e = "pfs") {
            if ($arg_a = "upload") {
                if ($bad_origin = 1) { return 403; }
            }
        }
    }
}