#0x5A

flawed CSRF implementation

@cybeidasubmitted a report toJupiterMay 16, 2026 at 21:47

Severity	INFORMATIONAL
CVSS	5.9`CVSS:3.1/AV:N/PR:N/AC:H/UI:R/I:H/A:N/C:L/S:U`
Vulnerability Type	Cross-Site Request Forgery (CSRF)
Asset	*.jup.ag - Jupiter Domain
Endpoint	`https://discuss.jup.ag/`

Description

The CSRF token is not invalidated after LOGOUT and after Password reset, this can introduce an attack surface where an attacker with old CSRF token can craft a request using the old CSRF and sending it to the victim. This can lead to a wide range of impact from Account takeover to victim information change

Steps to Reproduce

Navigate to https://discuss.jup.ag/
Login your account if you already have
Navigate to any state changing request
Or even just note the CSRF token in a place
log out your account
Now login back
check the CSRF token you will see that it is different now
Go to https://discuss.jup.ag/u/cyboida/preferences/email
That is a state changing request
change the new X-CSRF token in the header ro the old one from the other logged out session(The one we noted earlier)
send the request you will see 200 OK which means the request has been sent
check the UI you will see a message that said a confirmation email has been sent to the email you just added

Impact

An attacker can be able to get victim account

Attachments (2)

bandicam_2026-05-16_22-01-23-777.mp4

video/mp4

bandicam_2026-05-16_22-23-37-644.mp4

video/mp4

Activity

@thibaultclosed the report asInformative

May 17

@thibaultchanged the severity frommediumtolow

May 17

@cybeidacommented.

May 17

@cybeidacommented.

May 17

@cybeidacommented.

May 17

@thibaultchanged the severity fromlowtoinformational

May 17

@cybeidacommented.

May 17

@cybeidacommented.

May 17

@raccoonsdisclosed this reportPublic Disclosure

May 22

Properties

Status

INFORMATIVE

Severity

INFORMATIONAL

Reporter

@cybeida

Program

Jupiter