Summary

Five state-changing POST routes did not validate the CSRF token server-side. Most already sent a token from the client, but the server never checked it, so a crafted cross-site request could perform actions on behalf of a logged-in user.

The fix shipped in v26.04.1 (April 2026); this advisory is being published now as part of a consolidated disclosure.

Solution

Users should update to v26.04.1 or later.

Mitigations

For users unable to upgrade:

• Avoid visiting untrusted websites while logged in to Digi On-Prem Manager

Affected Versions

• Digi On-Prem Manager versions before v26.04.1