CVE-2026-41132

Severity CVSS v4.0:
MEDIUM
Type:
CWE-295 Improper Certificate Validation
Publication date:
13/05/2026
Last modified:
15/05/2026

Description

CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, the configured SMTP server may be spoofed with any certificate (e.g. self-signed), leaving credentials and all emails sent open to MITM attacks. This vulnerability is fixed in 2.10.10 and 2.11.5.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:okfn:ckan:*:*:*:*:*:*:*:* 2.10.10 (excluding)
cpe:2.3:a:okfn:ckan:*:*:*:*:*:*:*:* 2.11.0 (including) 2.11.5 (excluding)


References to Advisories, Solutions, and Tools