CVE-2006-1546
Description
Apache Struts before 1.2.9 allows remote attackers to bypass validation by sending a request with the CANCEL parameter, which cancels the action without triggering the isCancelled check.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Struts before 1.2.9 allows remote attackers to bypass validation by sending a request with the CANCEL parameter, which cancels the action without triggering the isCancelled check.
Vulnerability
Apache Struts versions before 1.2.9 contain a vulnerability in the handling of the org.apache.struts.taglib.html.Constants.CANCEL parameter. When a request includes this parameter, the action is canceled, but applications that do not explicitly call the isCancelled method will not detect the cancellation, allowing validation to be bypassed [1].
Exploitation
An attacker can send a crafted HTTP request containing the CANCEL parameter to a Struts action that does not implement the isCancelled check. No authentication is required; the attacker only needs network access to the application [1].
Impact
Successful exploitation allows an attacker to bypass input validation, potentially leading to unintended action execution or data manipulation. The specific impact depends on the application logic, but it can result in unauthorized operations [1].
Mitigation
Upgrade to Apache Struts version 1.2.9 or later, which includes the fix. If upgrading is not possible, ensure that all actions check isCancelled appropriately. The vulnerability is old and likely patched in all modern versions [1][2].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
struts:strutsMaven | < 1.2.9 | 1.2.9 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
15- github.com/advisories/GHSA-vf8g-mpmw-qv87ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2006-1546ghsaADVISORY
- issues.apache.org/bugzilla/show_bug.cginvdWEB
- lists.suse.com/archive/suse-security-announce/2006-May/0004.htmlnvdWEB
- mail-archives.apache.org/mod_mbox/struts-dev/200601.mbox/%3cdr169r$623$2@sea.gmane.org%3eghsaWEB
- mail-archives.apache.org/mod_mbox/struts-dev/200601.mbox/%3cdr169r%24623%242%40sea.gmane.org%3envdWEB
- mail-archives.apache.org/mod_mbox/struts-user/200601.mbox/%3c20060121221800.15814.qmail%40web32607.mail.mud.yahoo.com%3envdWEB
- mail-archives.apache.org/mod_mbox/struts-user/200601.mbox/%3c20060121221800.15814.qmail@web32607.mail.mud.yahoo.com%3eghsaWEB
- secunia.com/advisories/19493nvdWEB
- secunia.com/advisories/20117nvdWEB
- securitytracker.com/idnvdWEB
- struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.htmlnvdWEB
- www.securityfocus.com/bid/17342nvdWEB
- www.vupen.com/english/advisories/2006/1205nvdWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/25612nvdWEB
News mentions
0No linked articles in our index yet.