{"id":"HSEC-2026-0002","summary":"Hackage CSRF vulnerability","details":"# Hackage CSRF vulnerability\n\n* Vulnerable File: `src/Distribution/Server/Features/Votes.hs` (example)\n* Impact: can forge requests through XSS\n\nhackage-server lacked Cross-Site Request Forgery (CSRF) protection\nacross its endpoints.  Scripts on foreign sites could trigger\nrequests to hackage server, possibly abusing latent credentials to\nupload packages or perform other administrative actions.  Some\nunauthenticated actions could also be abused (e.g. creating new user\naccounts).\n\nTo fix the issue, a new CSRF middleware checks all requests.\nRequests using HTTP methods other than `GET`, `HEAD` and `OPTIONS`\nare subject to a check of the [`Sec-Fetch-Site`\nheader][sec-fetch-site], which is [widely supported by modern\nbrowsers][caniuse-sec-fetch-site].  Cross-site requests are `403\nForbidden`.  Certain approved and expected non-browser user agents\n(e.g. `cabal-install/*`) are exempted from the check, as are\nrequests using token authentication (`Authorization: X-ApiKey ...`).\n\nThe fix has been [committed][commit] and deployed on\n`hackage.haskell.org`.\n\n## Acknowledgements\n\n- **Joshua Rogers** (https://joshua.hu/) of AISLE\n  (https://aisle.com/) reported the issue to the Haskell Security\n  Response Team.\n- **Spenser Janssen** implemented the fix, and **Fraser Tweedale**\n  reviewed it.\n- **Gershom Bazerman** merged the fix and deployed it to\n  `hackage.haskell.org`.\n\n[sec-fetch-site]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Sec-Fetch-Site\n[caniuse-sec-fetch-site]: https://caniuse.com/?search=sec-fetch-site\n[commit]: https://github.com/haskell/hackage-server/commit/2de3ae45082f8f3f29a41f6aff620d09d0e74058\n","aliases":["CVE-2026-40471"],"modified":"2026-03-28T16:15:09.093594Z","published":"2026-03-28T16:04:58Z","database_specific":{"osvs":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export","home":"https://github.com/haskell/security-advisories","repository":"https://github.com/haskell/security-advisories"},"references":[{"type":"FIX","url":"https://github.com/haskell/hackage-server/commit/2de3ae45082f8f3f29a41f6aff620d09d0e74058"}],"affected":[{"package":{"name":"hackage-server","ecosystem":"Hackage","purl":"pkg:hackage/hackage-server"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.1"}]}],"versions":["0.4","0.5.0"],"database_specific":{"human_link":"https://github.com/haskell/security-advisories/tree/main/advisories/published/2026/HSEC-2026-0002.md","osv":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2026/HSEC-2026-0002.json","source":"https://github.com/haskell/security-advisories/blob/generated/osv-export/2026/HSEC-2026-0002.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L"}]}],"schema_version":"1.7.5"}