PatchSiren cyber security CVE debrief
CVE-2026-48518 juice-shop CVE debrief
CVE-2026-48518 is a medium-severity vulnerability in MultiJuicer, a tool for running separate Juice Shop instances on a central Kubernetes cluster. Versions 8.0.0 through 10.0.0 of MultiJuicer contain a cross-site request forgery (CSRF) vulnerability in the team join endpoint (POST /multi-juicer/api/teams/{team}/join). This endpoint accepted requests with any Content-Type, including text/plain, which does not trigger a CORS preflight. An attacker could exploit this by hosting a cross-site HTML form that auto-submits to the endpoint, forcing a victim's browser to log in as the attacker's team without prior authentication. The only requirement for exploitation is that the victim must visit a page controlled by the attacker while having network access to the MultiJuicer deployment. Successful exploitation allows an attacker to cause victims to unwittingly solve Juice Shop challenges under the attacker's team identity, potentially inflating their team's score in a CTF context. Additionally, any sensitive data entered by the victim into their Juice Shop instance ends up in the attacker's instance. The vulnerability was fixed in version 10.0.1.
- Vendor
- juice-shop
- Product
- multi-juicer
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-16
Who should care
Users of MultiJuicer, especially those in Capture The Flag (CTF) contexts or using Juice Shop for security training, should be aware of this vulnerability. Administrators of MultiJuicer deployments should upgrade to version 10.0.1 or later to mitigate this issue.
Technical summary
The team join endpoint in MultiJuicer versions 8.0.0-10.0.0 is vulnerable to CSRF attacks due to accepting requests with any Content-Type, including text/plain. This allows an attacker to force a victim's browser to join their team without authentication, potentially leading to score inflation in CTF contexts and unauthorized access to sensitive data.
Defensive priority
Medium
Recommended defensive actions
- Upgrade MultiJuicer to version 10.0.1 or later.
- Review and monitor team join requests for suspicious activity.
- Implement additional security measures such as validating Content-Type headers and enforcing strict SameSite cookie policies.
Evidence notes
The CVE-2026-48518 vulnerability was publicly disclosed and fixed in version 10.0.1 of MultiJuicer. Details can be found in the official CVE record [cve-org] and the NVD entry [nvd].
Official resources
CVE-2026-48518 was published on 2026-06-15T21:17:14.057Z and has not been modified since then.