CSRF leading to delete Client API in API clients management in wallabag/wallabag


Reported on

Mar 31st 2023


wallabag was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily delete API key via


Proof of Concept

  <!-- CSRF PoC - generated by Burp Suite Professional -->
    <form action="">
      <input type="submit" value="Submit request" />
      history.pushState('', '', '/');


This vulnerability is capable of tricking a user to delete their own API key

We are processing your report and will contact the wallabag team within 24 hours. 8 months ago
TuanTH modified the report
8 months ago
We have contacted a member of the wallabag team and are waiting to hear back 8 months ago
Nicolas Lœuillet validated this vulnerability 5 months ago
TuanTH has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
5 months ago


thanks @nicosomb, i hope this vulnerability can be assigned a CVE

Nicolas Lœuillet marked this as fixed in 2.6.3 with commit ffcc5c 3 months ago
Nicolas Lœuillet has been awarded the fix bounty
This vulnerability has been assigned a CVE
Nicolas Lœuillet published this vulnerability 3 months ago
Nicolas Lœuillet gave praise 3 months ago
Thank you @tht1997 !
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation