Qwik City, CSRF Protection Bypass, CVE-2026-????? (Moderate)

Listen to this Post

This vulnerability exists within the CSRF protection middleware of the Qwik City framework. The security mechanism relies on correctly verifying the `Content-Type` header of incoming HTTP requests to determine if CSRF checks should be applied. The function `isContentType()` uses a regular expression to parse this header. Due to a typo in this regex, it fails to correctly match headers that include parameters, such as multipart/form-data; boundary=something. The regex likely expects a strict match without considering the potential semicolon and additional key-value pairs following the primary media type. Consequently, a request with a parameterized `Content-Type` header is incorrectly classified as not requiring a CSRF check. An attacker can craft a malicious form submission or API request targeting a Qwik City application, setting the `Content-Type` to `multipart/form-data` with any boundary parameter. The flawed validation logic allows the request to bypass the Origin check, enabling a Cross-Site Request Forgery attack where the attacker’s page can trigger unauthorized state-changing actions on behalf of an authenticated user.
Platform: Qwik City
Version: Pre-1.6.x
Vulnerability: CSRF Bypass
Severity: Moderate
Date: 2026-02-03

Prediction: 2026-02-10

What Undercode Say:

git clone https://github.com/QwikDev/qwik
grep -r "isContentType" --include=".ts" --include=".js"
curl -X POST https://victim.app/form -H "Content-Type: multipart/form-data; boundary=malicious" --data-binary $'--malicious\r\nContent-Disposition: form-data; name="action"\r\n\r\ndelete_account\r\n--malicious--\r\n'
// Example of flawed regex logic
function isContentType(request, type) {
const contentType = request.headers.get('content-type');
// Incorrect regex that fails on parameters
return new RegExp(<code>^${type}</code>).test(contentType); // Should account for optional '; charset=utf-8' etc.
}

How Exploit:

Craft HTML form with `enctype=”multipart/form-data”` targeting vulnerable endpoint. Trick authenticated user into submitting it.

Protection from this CVE:

Update to patched version (e.g., 1.6.1). Implement additional anti-CSRF tokens.

Impact:

Unauthorized form submissions. Account takeover. Data manipulation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top