Cross-Site Request Forgery (CSRF) in modoboa/modoboa
Description
Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.0.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A CSRF vulnerability in Modoboa prior to 2.0.4 allowed attackers to delete users via crafted requests.
Vulnerability
Overview
CVE-2023-0406 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the delaccount view in Modoboa, an open-source mail hosting and management platform [3]. The vulnerability existed in versions prior to 2.0.4 and allowed an attacker to delete user accounts without proper CSRF protection [1][2]. The root cause was that the account deletion endpoint did not enforce POST-only HTTP methods and lacked CSRF token validation, as indicated by the commit that added the @require_http_methods(["POST"]) decorator and enforced CSRF checks [4].
Exploitation
To exploit this vulnerability, an attacker would need to trick an authenticated administrator into visiting a malicious webpage or clicking a crafted link. Because the delete-user endpoint accepted GET requests without CSRF tokens, a simple `` tag or form submission could trigger the unauthorized deletion of a targeted user account. No advanced authentication bypass was required; the attacker merely needed to lure a logged-in admin to the crafted request.
Impact
A successful CSRF attack could result in the arbitrary deletion of user accounts on the Modoboa instance. This could lead to denial of service for legitimate users, loss of email data, and potential disruption of mail services. The severity is elevated because administrative privileges are required for the target session, but the attack does not require the attacker to have direct access to the Modoboa interface.
Mitigation
The vulnerability was patched in Modoboa release 2.0.4, which enforced POST-only requests and proper CSRF validation for the delete-account view [4]. Users are strongly advised to upgrade to version 2.0.4 or later. No workarounds were documented; applying the fix is the recommended course of action.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
modoboaPyPI | < 2.0.4 | 2.0.4 |
Affected products
2- modoboa/modoboa/modoboav5Range: unspecified
Patches
17f0573e91722Enforce POST method for account delete view
1 file changed · +2 −0
modoboa/admin/views/identity.py+2 −0 modified@@ -11,6 +11,7 @@ from django.utils.translation import ugettext as _, ungettext from django.views import generic from django.views.decorators.csrf import ensure_csrf_cookie +from django.views.decorators.http import require_http_methods from modoboa.core.models import User from modoboa.lib.exceptions import BadRequest, PermDeniedException @@ -185,6 +186,7 @@ def editaccount(request, pk): @login_required @permission_required("core.delete_user") +@require_http_methods(["POST"]) def delaccount(request, pk): User.objects.get(pk=pk).delete() return render_to_json_response(
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
5- github.com/advisories/GHSA-g298-59pg-93h7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-0406ghsaADVISORY
- github.com/modoboa/modoboa/commit/7f0573e917227686d2cc127be1364e2908740807ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/modoboa/PYSEC-2023-283.yamlghsaWEB
- huntr.dev/bounties/d7007f76-3dbc-48a7-a2fb-377040fe100cghsaWEB
News mentions
0No linked articles in our index yet.