HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-55742Published Modified CNA TuranSec

CVE-2026-55742: Cotonti CSRF in admin.rights.php allows privilege escalation

Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration rights handler. In system/admin/admin.rights.php, the rights update action ('a=update') modifies group access rights (including via cot_auth_add_group) without calling cot_check_xg() to validate the anti-CSRF token. A remote attacker who lures an authenticated administrator into visiting a malicious page can force the browser to submit a forged request that grants elevated permissions to an attacker-controlled group, escalating privileges to administrator. Because Cotonti administrators can modify templates and configuration, this can be further leveraged toward remote code execution.

Metrics

CVSS v4.0
9.4
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A Cross-Site Request Forgery (CSRF) vulnerability in Cotonti 1.0.0 allows a remote attacker to hijack an authenticated administrator's browser session and submit forged HTTP requests to the admin rights handler. The affected endpoint (system/admin/admin.rights.php) processes group permission updates without validating an anti-CSRF token, so any authenticated admin who visits a malicious page triggers the attack with no further interaction beyond that visit. Successful exploitation grants the attacker administrator-level privileges, which in Cotonti can be leveraged further toward remote code execution through template and configuration modification. No upstream fix has been published; HarborGuard tracks the advisory and will make a patched rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that package Cotonti 1.0.0. Any image containing the affected version is flagged immediately in both registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard scores this CVE at 9.4 Critical using the CVSS v4.0 vector and surfaces it at the top of the affected-environment queue with that severity label applied. Per-environment compliance policy weighting and team routing rules then direct the finding to the appropriate inbox inside each customer organization.

Available
Patch

Because no upstream fix version exists, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is published. In the interim, customers with auto-remediation enabled can apply compensating controls through HarborGuard policy rules, such as network-policy isolation of the admin interface and egress filtering to limit attacker-reachable surfaces.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the malicious page over the network, meaning the Cotonti admin interface must be reachable by a victim's browser from an internet or network-adjacent origin.

  • AuthenticationNot required

    The attacker needs no credentials; the forged request rides the victim administrator's already-authenticated browser session, requiring no credential possession by the attacker.

  • Victim interactionRequired

    The attack requires an authenticated Cotonti administrator to visit an attacker-controlled page, making social engineering the delivery mechanism.

  • Attack complexityDetail

    Exploit complexity is low: no race conditions, special memory layout, or environmental prerequisites are needed beyond luring the victim to the malicious page.

Blast Radius

  • The attacker gains administrator-level group membership in Cotonti, reading all site configuration, stored content, user records, and session data.
  • The attacker can modify group access rights for any user group, rewriting the site's entire permission model.
  • With administrator access, the attacker can edit Cotonti templates and configuration files, enabling injection of server-side code and full remote code execution on the host.
  • The availability of the application is at risk: an attacker can alter or delete configuration that crashes or disables the Cotonti instance.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-55742, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment Cotonti publishes a remediated version. For customers who opt into auto-remediation, that rebuild will be accompanied by a regression-test run and a PR opened against affected workloads without manual intervention. While waiting for an upstream patch, customers can apply compensating controls through HarborGuard policy rules: isolating the Cotonti admin interface behind a dedicated network policy so only trusted source IPs can reach admin.rights.php, enabling egress filtering to reduce attacker-reachable callback surfaces, and flagging any image containing Cotonti 1.0.0 as non-compliant to block it from production promotion. The CSRF risk can also be partially mitigated at the application layer by placing a reverse proxy in front of Cotonti that enforces an Origin or Referer check on state-changing POST requests to the admin path.

See how HarborGuard automates this
Affected packages
  • Cotonti / Cotonti
    1.0.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References