CVE-2026-40549 SOPlanning CVE debrief

Who should care

Organizations running SOPlanning version 1.55 or below for project and resource planning, particularly those with multi-user deployments where authenticated users may browse external websites during active sessions.

Technical summary

SOPlanning version 1.55 and below contains a Cross-Site Request Forgery (CSRF) vulnerability in the groupe_save functionality. The affected endpoints for creating, modifying, and deleting groups do not adequately validate that requests originate from legitimate user actions. An attacker can construct a malicious webpage that, when visited by an authenticated SOPlanning user, automatically submits forged GET or POST requests to these endpoints. Successful exploitation could result in unauthorized group creation, modification, or deletion. The vulnerability requires user interaction (visiting the attacker-controlled page) but does not require attacker privileges or elevated access. The CVSS 4.0 score of 5.1 reflects low impacts to confidentiality and integrity with no availability impact.

Defensive priority

medium

Recommended defensive actions

• Upgrade to a patched version of SOPlanning when available from the vendor.
• Implement or verify anti-CSRF token validation on all state-changing requests, particularly the groupe_save create, modify, and delete endpoints.
• Consider using SameSite cookie attributes and additional request origin validation as defense-in-depth measures.
• Review application logs for unexpected cross-origin requests to groupe_save endpoints.

Evidence notes

CVE description confirms CSRF in groupe_save endpoints for create, modify, and delete operations. CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, with low impacts to confidentiality and integrity. Weakness mapped to CWE-352. Vendor attribution is low-confidence based on reference domain candidate 'Soplanning' and requires review.

Official resources