CVE-2026-40471
Hackage · hackage-server
The hackage-server application lacks CSRF protection, allowing attackers to perform unauthorized administrative actions or create new user accounts via malicious scripts on external sites.
Executive summary
The lack of Cross-Site Request Forgery (CSRF) protection in hackage-server poses a critical risk of unauthorized administrative account manipulation and system compromise.
Vulnerability
The application fails to implement CSRF tokens or equivalent validation across its endpoints. This allows an attacker to trick authenticated users into executing unauthorized requests, such as package uploads, or to abuse unauthenticated endpoints to register unauthorized accounts.
Business impact
The absence of CSRF protection creates a high-risk environment where administrative integrity is compromised. With a CVSS score of 9.6, this vulnerability could lead to unauthorized code distribution or full takeover of user management functions, resulting in severe reputational damage and the potential for supply chain attacks through malicious package uploads.
Remediation
Immediate Action: Identify and apply the latest security update provided by the Hackage maintainers to enable robust CSRF mitigation.
Proactive Monitoring: Review access logs for anomalous account creation patterns or unauthorized package upload requests originating from unexpected referrers.
Compensating Controls: Implement strict Content Security Policy (CSP) headers and ensure that SameSite cookie attributes are set to 'Strict' or 'Lax' to provide defense-in-depth.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the critical CVSS score, organizations utilizing hackage-server must prioritize this update. Administrators should immediately audit user account logs for suspicious activity and ensure that all administrative interfaces are protected by modern web security standards.