CVE-2026-22194 describes a cross-site request forgery (CSRF) vulnerability affecting GestSup versions up to and including 3.2.60. This flaw allows an attacker to induce a logged-in user to unknowingly submit malicious requests, leading to unauthorized actions. Successful exploitation could result in the creation of privileged accounts by targeting the administrative user creation endpoint, compromising system security.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized privilege escalation. An attacker could craft a malicious request that, when triggered by an authenticated GestSup user, would create a new administrative account under the attacker's control. This grants the attacker full administrative access to the GestSup system, enabling them to modify configurations, access sensitive data, and potentially compromise the entire application. The attack surface is broad, as any endpoint accessible to administrative users is susceptible. This vulnerability shares similarities with other CSRF exploits where user actions are performed without proper authentication checks, potentially leading to significant data breaches and system takeover.
CVE-2026-22194 was publicly disclosed on 2026-01-09. There is no indication of active exploitation or inclusion in the CISA KEV catalog at this time. Public proof-of-concept (POC) code is currently unavailable, but the nature of CSRF vulnerabilities makes it likely that a POC will emerge. The lack of a fixed version increases the risk, as organizations are reliant on workarounds until a patch is released.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
The primary mitigation for CVE-2026-22194 is to upgrade GestSup to a version that addresses the CSRF vulnerability. Unfortunately, a fixed version is not specified in the provided data. As a temporary workaround, implement strict input validation and output encoding on all user-facing endpoints, particularly those involved in user creation and modification. Consider implementing a Content Security Policy (CSP) to restrict the sources from which the application can load resources, reducing the attack surface. Additionally, implement CSRF tokens on all sensitive forms and requests to verify the authenticity of client requests. After applying these mitigations, thoroughly test all administrative functions to ensure they are protected against CSRF attacks.
Update GestSup to a version later than 3.2.60. This will address the CSRF vulnerability that allows for privileged account creation. Refer to the provider's website changelog for more details about the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22194 is a cross-site request forgery (CSRF) vulnerability in GestSup versions up to 3.2.60, allowing attackers to trick authenticated users into performing unauthorized actions.
If you are using GestSup versions 0–3.2.60, you are potentially affected by this CSRF vulnerability. Upgrade to a patched version as soon as it becomes available.
Upgrade to a patched version of GestSup. Until a patch is released, implement workarounds such as strict input validation, output encoding, and CSRF tokens.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it likely that it will be targeted in the future.
Refer to the GestSup project website or security mailing lists for official advisories and updates regarding CVE-2026-22194.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.