CVE-2026-40471 PUBLISHED

Hackage CSRF vulnerability

Assigner: redhat-cnalr
Reserved: 13.04.2026 Published: 23.04.2026 Updated: 23.04.2026

hackage-server lacked Cross-Site Request Forgery (CSRF) protection across its endpoints. Scripts on foreign sites could trigger requests to hackage server, possibly abusing latent credentials to upload packages or perform other administrative actions. Some unauthenticated actions could also be abused (e.g. creating new user accounts).

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
CVSS Score: 9.6

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Package Collection	https://hackage.haskell.org/package/hackage-server
Package Name	hackage-server
Versions	Default: unaffected affected from 0.1 to * (excl.)

References

https://osv.dev/vulnerability/HSEC-2026-0002

Problem Types

CWE-352 Cross-Site request forgery (CSRF) CWE