CVE-2026-40549

Vulnerability

SOPlanning versions 1.55 and below are vulnerable to Cross‑Site Request Forgery (CSRF) in the groupe_save endpoints used for creating, modifying, and deleting groups. The application does not implement anti‑CSRF tokens or other origin‑validation mechanisms, making the endpoints susceptible to forged requests from external sites [1].

Exploitation

An attacker must craft a malicious website or email that, when visited by an authenticated SOPlanning user, automatically sends a forged GET or POST request to one of the groupe_save endpoints. No additional authentication or user interaction beyond visiting the attacker‑controlled page is required. The forged request can be triggered without the victim’s knowledge [1].

Impact

A successful CSRF attack allows the attacker to create, modify, or delete groups within the SOPlanning application. This can lead to unauthorized changes in project and resource management structures, potentially disrupting team assignments and visibility. The attacker does not gain direct access to sensitive data but can alter group configurations [1].

Mitigation

As of the publication date (2026‑06‑01), no patched version has been released. The vendor has not disclosed a fix. Administrators should implement CSRF protections such as synchronizer tokens or same‑site cookie attributes. Until a patch is available, consider restricting access to the groupe_save endpoints via network controls or disabling group management features if not essential [1].