CVE-2026-48518: CWE-352: Cross-Site Request Forgery (CSRF) in juice-shop multi-juicer
A Cross-Site Request Forgery (CSRF) vulnerability exists in the MultiJuicer component of Juice Shop versions 8.0.0 through 10.0.0. The team join endpoint accepts requests with any Content-Type, including text/plain, which bypasses CORS preflight checks. This allows an attacker to craft a malicious webpage that forces a victim's browser to join the attacker's team without their knowledge. The vulnerability enables attackers to inflate their team's score in CTF scenarios and capture sensitive data entered by victims. The issue was fixed in version 10.0.1.
AI Analysis
Technical Summary
MultiJuicer, used to run Juice Shop instances centrally, has a CSRF vulnerability in the team join endpoint (POST /multi-juicer/api/teams/{team}/join) in versions 8.0.0 through 10.0.0. The endpoint accepts any Content-Type, including text/plain, which does not trigger CORS preflight requests. An attacker can exploit this by hosting a cross-site HTML form that auto-submits to the endpoint, causing the victim's browser to join the attacker's team without authentication. This allows attackers to manipulate CTF scores and intercept sensitive data entered by victims. The vulnerability is exploitable without prior authentication and is not mitigated by SameSite=Strict cookies because the attack plants a new cookie. The issue was fixed in version 10.0.1.
Potential Impact
An attacker can cause victims to unknowingly join the attacker's team in the MultiJuicer deployment, enabling the attacker to inflate their team's score using the victim's activity and capture sensitive data entered by the victim. This undermines the integrity of CTF scoring and compromises data confidentiality within the Juice Shop instances. The attack requires only that the victim visit an attacker-controlled webpage while having network access to the MultiJuicer service. There is no impact on confidentiality of existing sessions, but the attack can plant new session cookies.
Mitigation Recommendations
This vulnerability was fixed in MultiJuicer version 10.0.1. Users should upgrade to version 10.0.1 or later to remediate this issue. No other mitigation or temporary fix is documented. Patch status is confirmed by the vendor fix in 10.0.1.
CVE-2026-48518: CWE-352: Cross-Site Request Forgery (CSRF) in juice-shop multi-juicer
Description
A Cross-Site Request Forgery (CSRF) vulnerability exists in the MultiJuicer component of Juice Shop versions 8.0.0 through 10.0.0. The team join endpoint accepts requests with any Content-Type, including text/plain, which bypasses CORS preflight checks. This allows an attacker to craft a malicious webpage that forces a victim's browser to join the attacker's team without their knowledge. The vulnerability enables attackers to inflate their team's score in CTF scenarios and capture sensitive data entered by victims. The issue was fixed in version 10.0.1.
CVSS v3.1
Score 4.3medium
Affected software
pkg:github/juice-shop/multi-juicerRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
MultiJuicer, used to run Juice Shop instances centrally, has a CSRF vulnerability in the team join endpoint (POST /multi-juicer/api/teams/{team}/join) in versions 8.0.0 through 10.0.0. The endpoint accepts any Content-Type, including text/plain, which does not trigger CORS preflight requests. An attacker can exploit this by hosting a cross-site HTML form that auto-submits to the endpoint, causing the victim's browser to join the attacker's team without authentication. This allows attackers to manipulate CTF scores and intercept sensitive data entered by victims. The vulnerability is exploitable without prior authentication and is not mitigated by SameSite=Strict cookies because the attack plants a new cookie. The issue was fixed in version 10.0.1.
Potential Impact
An attacker can cause victims to unknowingly join the attacker's team in the MultiJuicer deployment, enabling the attacker to inflate their team's score using the victim's activity and capture sensitive data entered by the victim. This undermines the integrity of CTF scoring and compromises data confidentiality within the Juice Shop instances. The attack requires only that the victim visit an attacker-controlled webpage while having network access to the MultiJuicer service. There is no impact on confidentiality of existing sessions, but the attack can plant new session cookies.
Mitigation Recommendations
This vulnerability was fixed in MultiJuicer version 10.0.1. Users should upgrade to version 10.0.1 or later to remediate this issue. No other mitigation or temporary fix is documented. Patch status is confirmed by the vendor fix in 10.0.1.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-21T16:18:10.619Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3061600b89be688893d824
Added to database: 6/15/2026, 8:32:32 PM
Last enriched: 6/15/2026, 9:15:50 PM
Last updated: 6/16/2026, 4:18:39 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.