CVE-2026-31014
Received Received - Intake
CSRF Vulnerability in Dovestones AD Self Update <4.0.0.5 Allows Unauthorized Account Modification

Publication date: 2026-04-21

Last updated on: 2026-04-23

Assigner: MITRE

Description
Dovestones Softwares AD Self Update <4.0.0.5 is vulnerable to Cross Site Request Forgery (CSRF). The affected endpoint processes state-changing requests without requiring a CSRF token or equivalent protection. The endpoint accepts application/x-www-form-urlencoded requests, and an originally POST-based request can be converted to a GET request while still successfully updating user details. This allows an attacker to craft a malicious request that, when visited by an authenticated user, can modify user account information without their consent.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31014
EUVD
EUVD-2026-24133
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dovestones ad_self_update to 4.0.0.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-31014 is a Cross-Site Request Forgery (CSRF) vulnerability in Dovestones Software AD SelfUpdate versions prior to 4.0.0.5. It affects an endpoint that updates user account details without requiring CSRF tokens or similar protections.

This endpoint accepts application/x-www-form-urlencoded requests and allows originally POST-based requests to be converted into GET requests while still successfully updating user details.

An attacker can craft a malicious URL or webpage that, when visited by an authenticated user, triggers unauthorized changes to user account information without the user's knowledge or consent.

Impact Analysis

Successful exploitation of this vulnerability can lead to unauthorized modifications of user account details, including contact information and profile attributes.

This can disrupt account workflows, compromise the integrity of directory-stored user data, and increase opportunities for social engineering attacks through altered account data.

The attack requires the victim to be authenticated and involves them visiting a malicious URL or webpage crafted by the attacker.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the endpoint /ADSelfUpdate/Home/UpdateADUser for state-changing requests that do not require CSRF tokens or equivalent protections.

Specifically, look for application/x-www-form-urlencoded requests that update user details and check if POST requests are being accepted as GET requests as well.

Commands to detect this may include using network traffic analysis tools like curl or wget to test the endpoint behavior, or inspecting web server logs for suspicious GET or POST requests to the vulnerable endpoint.

  • Use curl to test if GET requests can update user details: curl -X GET 'http://target/ADSelfUpdate/Home/UpdateADUser' -d 'user_data=malicious_data' -b 'auth_cookies'
  • Inspect web server logs for unexpected GET requests with parameters to /ADSelfUpdate/Home/UpdateADUser.
Mitigation Strategies

Immediate mitigation steps include upgrading Dovestones Software AD SelfUpdate to version 4.0.0.5 or later, which contains fixes for this vulnerability.

Additional defensive measures include implementing CSRF tokens for all state-changing requests, enforcing POST-only behavior for update actions, validating Origin and Referer headers, using SameSite cookie protections, and requiring reauthentication for sensitive account changes.

Compliance Impact

The vulnerability allows unauthorized modification of user account information without the user's consent, which can lead to loss of integrity of directory-stored user data and increased opportunities for social engineering.

Such unauthorized changes and potential data integrity issues could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal data and ensuring data integrity and user consent.

However, the provided information does not explicitly mention compliance impacts or regulatory considerations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31014. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart