Backdrop core - Critical - Cross Site Request Forgery - BACKDROP-SA-CORE-2026-002

Date:

Wednesday, Apr 22nd, 2026

Advisory ID:

BACKDROP-SA-CORE-2026-002

Security risk:

Critical

Vulnerability:

Cross Site Request Forgery

Versions affected:

Backdrop Core 1.33.x versions prior to 1.33.2
Backdrop Core 1.32.x versions prior to 1.32.3
Backdrop versions 1.31 and prior do not receive security coverage.

Description:

Backdrop's project installer does not check against a generated token before queuing projects to be downloaded from the Backdrop contrib repository. A user that has permission to post content could craft special tag to queue projects and download the projects. This vulnerability is mitigated by the fact that the user needs the ability to post HTML, and needs to get a privileged user to view the content they post. Additionally, there is no known way to enable projects, only download them.

Solution:

Upgrade your site to the most recent version of Backdrop core. Download the latest release from the Backdrop CMS Releases or use the built-in updater to self-update. See the update instructions, if needed.

Reported By:

Hammy

Fixed By:

Nate Lampton of the Backdrop CMS Security Team

Coordinated By:

Nate Lampton of the Backdrop CMS Security Team
Jen Lampton of the Backdrop CMS Security Team
Laryn Kragt Bakker of the Backdrop CMS Security Team

Security email list

Backdrop maintains a security mailing list. Whenever a security release comes out, an email will be sent to everyone subscribed to that list, announcing the new release. Please follow the steps below to join the Security email list.

Log in to backdropcms.org
Edit your profile
Switch to the "Subscriptions" tab
Check the box labeled "Security updates"
Save the form

Security Advisories

The list below includes the latest advisories for both Backdrop core and any project in the contributed repository. See the entire list of all advisories.