CVE-2026-5624 Overview
A Cross-Site Request Forgery (CSRF) vulnerability has been discovered in ProjectSend r2002. This vulnerability affects the file upload.php and allows attackers to perform unauthorized actions by tricking authenticated users into executing malicious requests. The attack can be initiated remotely, and exploit code has been publicly released, increasing the risk of active exploitation.
Critical Impact
Attackers can manipulate authenticated users into performing unintended file upload operations, potentially leading to data integrity compromise and unauthorized content being uploaded to the ProjectSend system.
Affected Products
- ProjectSend r2002
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-5624 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-5624
Vulnerability Analysis
This vulnerability is classified as CWE-352 (Cross-Site Request Forgery). CSRF vulnerabilities occur when a web application fails to properly verify that a request was intentionally made by the authenticated user. In the case of ProjectSend r2002, the upload.php file does not implement adequate CSRF protections, allowing attackers to craft malicious requests that execute in the security context of a victim's authenticated session.
The exploit has been publicly released, which significantly increases the likelihood of attacks targeting unpatched installations. Organizations using ProjectSend for file sharing should prioritize upgrading to the patched version to mitigate this risk.
Root Cause
The root cause of this vulnerability lies in the missing or inadequate CSRF token validation in the upload.php file. Without proper anti-CSRF measures such as synchronizer tokens or same-site cookie attributes, the application cannot distinguish between legitimate requests initiated by the user and forged requests crafted by an attacker.
Attack Vector
The attack is network-based and requires user interaction. An attacker crafts a malicious web page or email containing a forged request targeting the vulnerable upload.php endpoint. When an authenticated ProjectSend user visits the malicious page or clicks a malicious link, the browser automatically includes their session cookies with the forged request, causing the server to process it as legitimate.
The attack scenario typically involves:
- The attacker identifies a target user who has an active session with a vulnerable ProjectSend instance
- The attacker creates a malicious webpage containing a hidden form that submits to the vulnerable upload.php endpoint
- The victim is tricked into visiting the attacker's page while authenticated to ProjectSend
- The victim's browser automatically submits the forged request with valid session credentials
- The server processes the request, potentially uploading attacker-controlled content
Detection Methods for CVE-2026-5624
Indicators of Compromise
- Unexpected file uploads appearing in ProjectSend storage directories
- HTTP POST requests to upload.php with unusual referrer headers or missing referrer headers
- File uploads originating from IP addresses that don't match the authenticated user's typical location
- Sudden increases in upload activity from authenticated user sessions
Detection Strategies
- Monitor web server access logs for requests to upload.php with external or suspicious referrer headers
- Implement Content Security Policy (CSP) headers to detect and report cross-origin form submissions
- Review uploaded files for unexpected or malicious content that may indicate CSRF exploitation
- Deploy web application firewall (WAF) rules to detect CSRF attack patterns
Monitoring Recommendations
- Enable detailed logging for the upload.php endpoint including full request headers
- Configure alerts for file upload operations that lack expected CSRF tokens in request parameters
- Monitor for user complaints about unexpected actions performed on their behalf
- Implement session monitoring to detect rapid sequences of upload requests from single sessions
How to Mitigate CVE-2026-5624
Immediate Actions Required
- Upgrade ProjectSend to version r2029 or later immediately
- Review recently uploaded files for any suspicious or unauthorized content
- Implement additional network-level controls to restrict access to the ProjectSend instance
- Consider temporarily disabling the upload functionality until patching is complete
Patch Information
The vulnerability is fixed in ProjectSend version r2029. The security patch is identified by commit hash 2c0d25824ab571b6c219ac1a188ad9350149661b. Organizations should upgrade to ProjectSend r2029 to resolve this vulnerability. The patch details can be reviewed in the GitHub ProjectSend Commit.
Workarounds
- Implement a reverse proxy or web application firewall (WAF) with CSRF protection rules
- Restrict access to the ProjectSend application to trusted IP ranges or VPN-only access
- Educate users about the risks of clicking unknown links while authenticated to ProjectSend
- Consider implementing additional authentication requirements for file upload operations
# Example: Configure Apache mod_headers to add SameSite cookie attribute
# Add to ProjectSend virtual host configuration
<IfModule mod_headers.c>
Header always edit Set-Cookie ^(.*)$ "$1; SameSite=Strict"
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
