CVE-2018-6009
Description
In Yii Framework 2.x before 2.0.14, the switchIdentity function in web/User.php did not regenerate the CSRF token upon a change of identity.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Yii Framework 2.x before 2.0.14, the switchIdentity function fails to regenerate the CSRF token upon identity change, enabling CSRF attacks.
Vulnerability
The vulnerability exists in the switchIdentity function within web/User.php of Yii Framework 2.x prior to version 2.0.14. When a user's identity changes (e.g., login or logout), this function does not regenerate the CSRF token, leaving the previous token valid. All Yii 2.x versions before 2.0.14 are affected [1][3][4].
Exploitation
An attacker who has obtained a valid CSRF token from before an identity change can reuse it to perform actions on behalf of the new identity. The attacker typically tricks the user into clicking a crafted link or submitting a form while the user is authenticated under the new identity. No additional authentication is required beyond the existing session [3][4].
Impact
Successful exploitation allows cross-site request forgery (CSRF) attacks, enabling an attacker to execute unauthorized actions—such as changing passwords or modifying settings—under the new identity. This compromises data integrity and can lead to account compromise [3][4].
Mitigation
The vulnerability is fixed in Yii Framework version 2.0.14 [1]. Users should upgrade to this release or later. No official workarounds for older versions have been published. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yiisoft/yii2Packagist | >= 2.0, < 2.0.14 | 2.0.14 |
yiisoft/yii2-devPackagist | >= 2.0, < 2.0.14 | 2.0.14 |
Affected products
2- ghsa-coords2 versions
>= 2.0, < 2.0.14+ 1 more
- (no CPE)range: >= 2.0, < 2.0.14
- (no CPE)range: >= 2.0, < 2.0.14
Patches
16c0540aa2d6eFixes #15496: CSRF token is now regenerated on changing identity
3 files changed · +6 −0
framework/CHANGELOG.md+2 −0 modified@@ -3,6 +3,8 @@ Yii Framework 2 Change Log 2.0.14 under development ------------------------ + +- Enh #15496: CSRF token is now regenerated on changing identity (samdark, rhertogh) - Enh #15417: Added `yii\validators\FileValidator::$minFiles` (vladis84) - Bug #8983: Only truncate the original log file for rotation (matthewyang, developeruz) - Bug #14157: Add support for loading default value `CURRENT_TIMESTAMP` of MySQL `datetime` field (rossoneri)
framework/web/User.php+3 −0 modified@@ -641,6 +641,9 @@ public function switchIdentity($identity, $duration = 0) $this->sendIdentityCookie($identity, $duration); } } + + // regenerate CSRF token + Yii::$app->getRequest()->getCsrfToken(true); } /**
tests/framework/helpers/UrlTest.php+1 −0 modified@@ -29,6 +29,7 @@ protected function setUp() 'components' => [ 'request' => [ 'class' => 'yii\web\Request', + 'cookieValidationKey' => '123', 'scriptUrl' => '/base/index.php', 'hostInfo' => 'http://example.com/', 'url' => '/base/index.php&r=site%2Fcurrent&id=42',
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-cwhm-272p-3wj9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-6009ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2-dev/CVE-2018-6009.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/yiisoft/yii2/CVE-2018-6009.yamlghsaWEB
- github.com/yiisoft/yii2/commit/6c0540aa2d6e0fe0fa89e4fd35bba4be5d6cece7ghsax_refsource_CONFIRMWEB
- www.yiiframework.com/news/165/yii-2-0-14-is-releasedghsaWEB
News mentions
0No linked articles in our index yet.