## CSRF Protection Absent on Key API Endpoints: Default Config Exposes Admin Actions to Malicious Requests
A security vulnerability has been identified in multiple state-mutating REST API endpoints under `/api/v1/`, where Cross-Site Request Forgery (CSRF) token validation is not enforced when the default configuration `WTF_CSRF_ENABLED` is set to `False`. The flaw affects administrative functions including dashboard saves, chart updates, and dataset deletions, potentially allowing an attacker to trick an authenticated admin into performing unintended actions by luring them to a malicious website.

The affected endpoints are `POST /api/v1/dashboard/`, `PUT /api/v1/chart/{id}`, and `DELETE /api/v1/dataset/{id}`. Because these endpoints process state-changing requests without verifying CSRF tokens under default settings, a successful attack requires only that a logged-in administrator visits an attacker-controlled page. The browser automatically includes session cookies, and without CSRF validation, the API cannot distinguish between a legitimate user-initiated request and a forged one triggered from an external site.

Security researchers are urging that `WTF_CSRF_ENABLED = True` be set as a non-negotiable default rather than an optional toggle. Additional recommendations include deploying CSRF token validation middleware across all mutation endpoints and documenting the security implications of disabling CSRF in `config.py` to prevent unintended exposure. The disclosure references the OWASP CSRF Prevention Cheat Sheet as a baseline for proper mitigation. Organizations running the affected API should audit their current CSRF configuration immediately.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CSRF vulnerability, API security, authentication bypass, default configuration, state-mutating endpoints
- **Credibility**: unverified
- **Published**: 2026-04-29 20:54:11
- **ID**: 78342
- **URL**: https://whisperx.ai/en/intel/78342