GET based CSRF on delete user functionality in wallabag/wallabag


Reported on

Feb 4th 2023


The /account/delete functionality is vulnerable to CSRF. In this way, an attacker can trick the victim to delete his own account just clicking on the link.

Steps to reproduce

  • Login with a user
  • Now go here:
  • The account is now deleted without any confirmation


An attacker can trick the victim to delete his own account just clicking on the link.


Convert it to a POST request with CSRF token, or implement a CSRF token in the URL.

We are processing your report and will contact the wallabag team within 24 hours. 2 months ago
We have contacted a member of the wallabag team and are waiting to hear back 2 months ago
wallabag/wallabag maintainer has acknowledged this report 2 months ago
Jérémy Benoist
a month ago


Thanks for the report. Could you fix the affected version? It should 2.5.3 instead of 3.5.3.

Jérémy Benoist validated this vulnerability a month ago
leorac has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
a month ago


Thanks for validating the report. Unfortunately, I can't change the version since I'm not allowed to change anything after report validation

Jérémy Benoist marked this as fixed in 2.5.4 with commit 268372 a month ago
Jérémy Benoist has been awarded the fix bounty
This vulnerability has been assigned a CVE
Jérémy Benoist published this vulnerability a month ago
ConfigController.php#L615 has been validated
wallabag/wallabag maintainer gave praise a month ago
Thank you @leorac
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation