VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 2, 2026· Updated Jun 2, 2026

CVE-2026-38978

CVE-2026-38978

Description

Transmission versions prior to 4.1.2 are vulnerable to clickjacking due to missing anti-framing headers in the WebUI and RPC responses.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Transmission versions prior to 4.1.2 are vulnerable to clickjacking due to missing anti-framing headers in the WebUI and RPC responses.

Vulnerability

Transmission versions prior to 4.1.2, including development versions like 4.2.0-dev, are susceptible to clickjacking attacks. This vulnerability exists because the browser-facing WebUI and RPC response paths do not include anti-framing security headers such as X-Frame-Options or Content-Security-Policy: frame-ancestors. The issue affects the default HTTP response path when serving WebUI and RPC content [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious web page that embeds the Transmission WebUI or RPC interface within an iframe. When a user visits the attacker's page, and they are already authenticated to Transmission or can be tricked into authenticating, the attacker's page can then interact with the embedded Transmission interface as if it were part of the attacker's site, potentially performing actions on behalf of the user [1].

Impact

Successful exploitation of this clickjacking vulnerability allows an attacker to trick a user into performing unintended actions within the Transmission WebUI or RPC interface. This could lead to unauthorized modifications of torrents, changes to Transmission settings, or other actions that the authenticated user is permitted to perform, effectively compromising the user's control over their Transmission client [1].

Mitigation

This vulnerability has been fixed in Transmission version 4.1.2, released on March 30, 2026, as part of the 4.1.2 milestone [3]. The fix involves adding X-Frame-Options: SAMEORIGIN and Content-Security-Policy: frame-ancestors 'self' headers to HTTP responses [2]. Users are strongly advised to upgrade to version 4.1.2 or later to mitigate this risk.

References
  1. [BUG] Missing anti-clickjacking headers on Transmission WebUI and RPC responses
  2. fix: add clickjack safeguards when serving http responses (#8747) · transmission/transmission@6b24c1c
  3. fix: add clickjack safeguards when serving http responses by ckerr · Pull Request #8747 · transmission/transmission

AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
6b24c1c214ec

fix: add clickjack safeguards when serving http responses (#8747)

https://github.com/transmission/transmissionCharles KerrMar 31, 2026via nvd-ref
commitPR #8747
1 file changed · +10 1
  • libtransmission/rpc-server.cc+10 1 modified
    @@ -177,7 +177,15 @@ namespace
 {
 int constexpr DeflateLevel = 6; // medium / default
 
-// ---
+// Prevent clickjacking on the browser-facing WebUI and RPC responses.
+// https://github.com/transmission/transmission/issues/8726
+// https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html.
+void add_clickjacking_prevention_headers(struct evkeyvalq* headers)
+{
+    // Send X-Frame-Options for older browsers + CSP frame-ancestors for newer ones
+    evhttp_add_header(headers, "X-Frame-Options", "SAMEORIGIN");
+    evhttp_add_header(headers, "Content-Security-Policy", "frame-ancestors 'self'");
+}
 
 void send_simple_response(struct evhttp_request* req, int code, char const* text = nullptr)
 {
@@ -532,6 +540,7 @@ void handle_request(struct evhttp_request* req, void* arg)
 
     auto* const output_headers = evhttp_request_get_output_headers(req);
     evhttp_add_header(output_headers, "Server", MY_REALM);
+    add_clickjacking_prevention_headers(output_headers);
 
     if (server->is_anti_brute_force_enabled() && server->login_attempts_ >= server->settings().anti_brute_force_limit)
     {

Vulnerability mechanics

Root cause

"The browser-facing WebUI and RPC responses were served without anti-framing protections."

Attack vector

An attacker can craft a malicious webpage that embeds the Transmission management UI within an iframe. By tricking an authenticated user into visiting this page, the attacker can exploit the lack of anti-framing headers to perform clickjacking attacks against the user's session. This could lead to UI redressing and bypass of browser-layer trust boundaries [ref_id=1].

Affected code

The vulnerability exists in the `handle_request` function within `libtransmission/rpc-server.cc`. Specifically, the code path responsible for serving the browser-facing WebUI and RPC responses did not include anti-clickjacking headers.

What the fix does

The patch introduces a new function `add_clickjacking_prevention_headers` which adds the `X-Frame-Options: SAMEORIGIN` and `Content-Security-Policy: frame-ancestors 'self'` headers to HTTP responses [patch_id=4518428]. This function is called within the `handle_request` function before responses are sent to the browser, thereby preventing the WebUI and RPC interfaces from being embedded in frames on other sites [patch_id=4518428].

Preconditions

  • networkThe Transmission daemon must be accessible over the network.
  • inputThe user must be tricked into visiting an attacker-controlled webpage that embeds the Transmission UI.

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.