SMTP Server Spoofing Vulnerability in CKAN by Open Knowledge Foundation
CVE-2026-41132

6.6MEDIUM

Key Information:

Vendor: Ckan
Status: Ckan
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-41132?

CKAN, an open-source data management system, is susceptible to a security issue where the configured SMTP server can be spoofed with unauthorized certificates, including self-signed ones. This flaw exposes user credentials and the contents of all emails sent through the system to potential man-in-the-middle (MITM) attacks. To mitigate this risk, users are advised to update to CKAN versions 2.10.10 or 2.11.5, where the vulnerability has been addressed.

Affected Version(s)

ckan >= 2.11.0, < 2.11.5 < 2.11.0, 2.11.5

ckan < 2.10.10 < 2.10.10

References

https://github.com/ckan/ckan/security/advisories/GHSA-mpf...

x_refsource_CONFIRM

CVSS V4

Score:

6.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 17, 2026

CVE-2026-41132 Data

JSON

Ckan

What is CVE-2026-41132?

Affected Version(s)

References

CVSS V4

Timeline