CVE-2026-28281
CSRF Vulnerability in InstantCMS Allows Privilege Escalation
Publication date: 2026-03-10
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| instantcms | instantcms | to 2.18.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28281 is a Cross-Site Request Forgery (CSRF) vulnerability in InstantCMS versions prior to 2.18.1. The system does not properly validate CSRF tokens on several sensitive endpoints, allowing attackers to perform unauthorized actions by tricking authenticated users into loading malicious content.
- Attackers can exploit this by embedding specially crafted URLs in rich text editors that automatically trigger GET requests when the page loads.
- These actions include granting moderator privileges to users, executing scheduled tasks, moving posts to trash, and accepting friend requests on behalf of the user.
The root cause is the absence of CSRF token validation and the improper use of GET requests for state-changing operations.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized privilege escalation and manipulation of content.
- Attackers can grant themselves or others moderator privileges, compromising confidentiality and integrity.
- They can execute scheduled tasks, potentially affecting confidentiality, integrity, and availability.
- Attackers can move arbitrary posts to trash, impacting data integrity and availability.
- They can accept friend requests on behalf of users, leading to limited confidentiality and integrity loss.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized GET or POST requests to specific vulnerable endpoints that lack CSRF token validation.'}, {'type': 'list_item', 'content': 'Check for GET requests to endpoints such as `/messages/notice_action?notice_id=...&action_name=accept` which accept friend requests without CSRF validation.'}, {'type': 'list_item', 'content': 'Look for GET requests to `/posts/trash_put/{post_id}` which move posts to trash without CSRF protection.'}, {'type': 'list_item', 'content': 'Monitor GET requests to `/admin/settings/scheduler/run/{task_id}` that execute scheduled tasks without CSRF tokens.'}, {'type': 'list_item', 'content': 'Detect GET or POST requests to `/admin/ctypes/moderators/{id}/add?name=...` which grant moderator privileges without CSRF validation.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious activity include using network monitoring tools or web server logs to filter requests to these endpoints. For example, using grep on access logs:'}, {'type': 'list_item', 'content': "grep -E 'GET /messages/notice_action\\?notice_id=.*&action_name=accept' /var/log/nginx/access.log"}, {'type': 'list_item', 'content': "grep -E 'GET /posts/trash_put/' /var/log/nginx/access.log"}, {'type': 'list_item', 'content': "grep -E 'GET /admin/settings/scheduler/run/' /var/log/nginx/access.log"}, {'type': 'list_item', 'content': "grep -E 'GET /admin/ctypes/moderators/.*/add' /var/log/nginx/access.log"}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade InstantCMS to version 2.18.1 or later, where this vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, restrict access to the vulnerable endpoints by implementing additional access controls or web application firewall (WAF) rules to block unauthorized GET or POST requests to these endpoints.'}, {'type': 'paragraph', 'content': 'Additionally, monitor and audit logs for suspicious requests to the affected endpoints to detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'The root cause is the lack of CSRF token validation on critical endpoints and the use of GET requests for state-changing operations. The permanent fix involves adding CSRF token verification to all sensitive endpoints, for example:'}, {'type': 'list_item', 'content': "Implement CSRF token validation in server-side code, e.g., `if (!cmsForm::validateCSRFToken($this->request->get('csrf_token', ''))) { return cmsCore::error404(); }`"}] [1]