CVE-2026-22194 – GestSup versions up to 3.2.60 contain a CSRF vu... (How to Fix)

Q: What is the severity of CVE-2026-22194?

CVE-2026-22194 has a CVSS score of 8.8 (HIGH). GestSup versions up to 3.2.60 contain a CSRF vulnerability that allows attackers to trick authenticated users into performing unauthorized actions. An attacker can exploit this to create privileged administrative accounts by targeting the user creation endpoint. All users running vulnerable versions are affected.

📋 TL;DR

GestSup versions up to 3.2.60 contain a CSRF vulnerability that allows attackers to trick authenticated users into performing unauthorized actions. An attacker can exploit this to create privileged administrative accounts by targeting the user creation endpoint. All users running vulnerable versions are affected.

💻 Affected Systems

Products:

GestSup

Versions: Up to and including 3.2.60

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Gestsup by Gestsup

View all CVEs affecting Gestsup →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the GestSup instance through creation of administrative accounts, leading to data theft, system takeover, or further attacks.

🟠

Likely Case

Unauthorized creation of privileged accounts leading to data exposure, privilege escalation, and potential lateral movement within the system.

🟢

If Mitigated

Limited impact with proper CSRF protections, though some risk remains if other vulnerabilities exist.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering to trick authenticated users into visiting malicious pages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.61 or later

Vendor Advisory: https://gestsup.fr/index.php?page=changelog

Restart Required: No

Instructions:

1. Backup your GestSup installation and database. 2. Download the latest version from the official website. 3. Replace the existing files with the updated version. 4. Verify the update by checking the version number.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add CSRF protection tokens to all state-changing requests

SameSite Cookie Attribute

all

Set SameSite=Strict attribute on session cookies

🧯 If You Can't Patch

Implement web application firewall rules to detect and block CSRF attempts
Restrict administrative access to specific IP addresses or networks

🔍 How to Verify

Check if Vulnerable:

Check GestSup version number in admin panel or configuration files

Check Version:

Check version in GestSup admin interface or config files

Verify Fix Applied:

Verify version is 3.2.61 or higher and test CSRF protection on user creation endpoint

📡 Detection & Monitoring

Log Indicators:

Multiple user creation attempts from same IP
Unusual administrative account creation

Network Indicators:

HTTP POST requests to user creation endpoint without referrer headers
Requests with missing CSRF tokens

SIEM Query:

source="gestup" AND (event="user_creation" OR event="admin_action") AND user_agent="*malicious*"

📊 Metadata

CVE ID: CVE-2026-22194

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

EPSS Score: 0.03% exploit probability (6.1th percentile)

Published: January 9, 2026

Last Updated: January 14, 2026

🔗 References

https://gestsup.fr/index.php?page=changelog Release Notes
https://www.vulncheck.com/advisories/gestsup-csrf-allows-privileged-actions Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22194, you might also want to check these: