CVE-2026-15034
Deferred Deferred - Pending Action

Cross-Site Request Forgery in Flask-MonitoringDashboard

Vulnerability report for CVE-2026-15034, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: VulDB

Description

A vulnerability has been found in flask-dashboard Flask-MonitoringDashboard up to 5.0.2. Affected by this issue is some unknown functionality. Such manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
flask_monitoringdashboard flask_monitoringdashboard to 5.0.2 (inc)
flask-dashboard flask-monitoringdashboard to 5.0.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include implementing CSRF protection on the vulnerable `/api/user/create` endpoint to prevent unauthorized admin user creation.

If possible, restrict access to the Flask-MonitoringDashboard interface and its API endpoints to trusted networks or authenticated users only.

Monitor logs for suspicious activity related to user creation and remove any unauthorized admin accounts created by attackers.

Consider disabling or restricting the dashboard temporarily until a patch or official fix is released.

Executive Summary

This vulnerability is a Cross-Site Request Forgery (CSRF) issue found in the Flask-MonitoringDashboard application, specifically affecting the admin user creation endpoint (`/api/user/create`). Because the application lacks CSRF protection, an attacker can trick an authenticated administrator into submitting a malicious request that creates a new admin account with attacker-chosen credentials. This allows the attacker to gain persistent unauthorized access to the monitoring dashboard.

Impact Analysis

Exploitation of this vulnerability can lead to a complete takeover of the Flask-MonitoringDashboard by an attacker. The attacker can create an admin account without authorization, gaining access to sensitive operational data such as request statistics, exception traces, and even the application source code. This compromises the confidentiality and integrity of the monitored application and its data.

Detection Guidance

This vulnerability can be detected by checking if the Flask-MonitoringDashboard application is running a vulnerable version (up to 5.0.2) and if the `/api/user/create` endpoint is accessible without CSRF protection.

One way to detect exploitation attempts is to monitor HTTP requests to the `/api/user/create` endpoint for suspicious POST requests that create new admin users without proper CSRF tokens.

You can use network monitoring tools or command-line utilities like curl or wget to test the endpoint manually.

  • Example curl command to test if the endpoint accepts POST requests without CSRF tokens: curl -X POST http://<your-flask-app>/api/user/create -d '{"username":"testadmin","password":"testpass"}' -H 'Content-Type: application/json'
  • Use web application scanners or proxy tools (e.g., OWASP ZAP, Burp Suite) to detect missing CSRF protections on sensitive endpoints.
Compliance Impact

The vulnerability allows an attacker to create a persistent admin account on the Flask-MonitoringDashboard by exploiting a lack of CSRF protection. This unauthorized access can lead to exposure of sensitive operational data, including request statistics, exception traces, and application source code.

Such unauthorized access and potential data exposure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

However, the provided information does not explicitly detail the types of personal or protected health information involved, so the exact compliance impact cannot be fully determined from the available data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15034. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart