CVE-2016-10522
Description
rails_admin ruby gem <v1.1.1 is vulnerable to cross-site request forgery (CSRF) attacks. Non-GET methods were not validating CSRF tokens and, as a result, an attacker could hypothetically gain access to the application administrative endpoints exposed by the gem.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
rails_admin <1.1.1 omits CSRF token validation for non-GET requests, enabling cross-site request forgery attacks against administrative endpoints.
Vulnerability
rails_admin, a Rails engine providing an administrative interface for data management, is vulnerable to cross-site request forgery (CSRF) attacks in all versions prior to 1.1.1. The CSRF protection does not validate tokens for HTTP methods other than GET, leaving endpoints reachable via POST, PUT, PATCH, or DELETE requests unprotected. This affects any application using the vulnerable gem with default configurations [1], [2].
Exploitation
An attacker can craft a malicious webpage or link that, when visited by an authenticated administrator, performs an unintended action on the rails_admin interface. The attacker requires no special network position beyond delivering the forged request to the victim's browser; the call will carry the victim's session cookie and succeed because the CSRF token is not checked. No prior authentication is needed — the exploit relies on the victim's existing authenticated session [1], [4].
Impact
Successful exploitation allows an attacker to perform arbitrary administrative actions on behalf of the victim, potentially leading to data modification, deletion, or privilege escalation within the application managed by rails_admin. The impact is high because administrative endpoints can modify sensitive data, user roles, or system configuration [2], [4].
Mitigation
Upgrade to rails_admin version 1.1.1 or later, released as part of the RailsAdmin gem, where CSRF protection properly validates tokens for all non-GET methods. No effective workaround is documented for earlier versions, so applying the update is strongly advised. The advisory is also tracked in the Ruby Advisory Database and GitHub Advisory Database [2], [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rails_adminRubyGems | >= 1.0.0, < 1.1.1 | 1.1.1 |
Affected products
2- https://github.com/sferik/rails_admin ruby gemv5Range: >= 1.1.1
Patches
1b13e879eb93b[Security] Fixes CSRF vulnerability, introduced by 53eef4fe2ec0953381f4e3197c885adc0423dd49
2 files changed · +15 −0
app/controllers/rails_admin/application_controller.rb+2 −0 modified@@ -11,6 +11,8 @@ class ActionNotAllowed < ::StandardError end class ApplicationController < Config.parent_controller.constantize + protect_from_forgery with: :exception + before_action :_authenticate! before_action :_authorize! before_action :_audit!
spec/integration/rails_admin_spec.rb+13 −0 modified@@ -148,4 +148,17 @@ is_expected.to have_selector('.label-danger') end end + + describe 'CSRF protection' do + before do + allow_any_instance_of(ActionController::Base).to receive(:protect_against_forgery?).and_return(true) + end + + it 'is enforced' do + visit new_path(model_name: 'league') + fill_in 'league[name]', with: 'National league' + find('input[name="authenticity_token"]', visible: false).set("invalid token") + expect { click_button 'Save' }.to raise_error ActionController::InvalidAuthenticityToken + end + end end
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-pxqr-8v54-m2hjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-10522ghsaADVISORY
- github.com/railsadminteam/rails_admin/commit/b13e879eb93b661204e9fb5e55f7afa4f397537aghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rails_admin/CVE-2016-10522.ymlghsaWEB
- github.com/sferik/rails_admin/commit/b13e879eb93b661204e9fb5e55f7afa4f397537amitrex_refsource_CONFIRM
- www.sourceclear.com/blog/Rails_admin-Vulnerability-Disclosure/mitrex_refsource_MISC
- www.sourceclear.com/registry/security/cross-site-request-forgery-csrf-/ruby/sid-3173ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.