Description
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, the configured SMTP server may be spoofed with any certificate (e.g. self-signed), leaving credentials and all emails sent open to MITM attacks. This vulnerability is fixed in 2.10.10 and 2.11.5.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/ckan/ckan/security/advisories/GHSA-mpfm-fpgx-647q
Scores
CVSS v3
7.4
EPSS
0.0001
EPSS Percentile
0.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-295
Status
published
Products (5)
ckan/ckan
< 2.10.10
ckan/ckan
>= 2.11.0, < 2.11.5
okfn/ckan
< 2.10.10
pypi/ckan
0 - 2.10.10PyPI
pypi/ckan
2.11.0 - 2.11.5PyPI
Published
May 13, 2026
Tracked Since
May 14, 2026