ctipilot.ch

ANSSI / CERT-FR CERTFR-2026-AVI-0635 on SPIP < 4.4.15 security-policy bypass; dominant French public-administration CMS, EU/CH Francophone government deployment

vulnerability-trend · item:anssi-certfr-2026-avi-0635-spip-4-4-15-security-policy-bypass-fr-public-admin

Coverage timeline
1
first 2026-05-23 → last 2026-05-23
Briefs
1
1 distinct
Sources cited
3
2 hosts
Sections touched
1
active_threats
Co-occurring entities
3
see Related entities below

Story timeline

  1. 2026-05-23CTI Daily Brief — 2026-05-23
    active_threatsANSSI/CERT-FR advisory 2026-05-22 on SPIP < 4.4.15 security-policy bypass. SPIP 4.4.15 released same day. No CVE assigned. SPIP is predominant CMS in French public administration, Romandie cantonal/communal sites, Belgian Francophone government. Follow-on to 4.4.14 (CERTFR-2026-AVI-0564, 2026-05-12) which fixed multiple RCEs. Auth/ACL bypass classification typical for CERT-FR.

Where this entity is cited

  • active_threats1

Source distribution

  • cert.ssi.gouv.fr2 (67%)
  • blog.spip.net1 (33%)

Related entities

All cited sources (3)

Items in briefs about ANSSI / CERT-FR CERTFR-2026-AVI-0635 on SPIP < 4.4.15 security-policy bypass; dominant French public-administration CMS, EU/CH Francophone government deployment (1)

ANSSI / CERT-FR publishes CERTFR-2026-AVI-0635 on SPIP < 4.4.15 — security-policy bypass in the dominant French public-administration CMS

From CTI Daily Brief — 2026-05-23 · published 2026-05-23 · view item permalink →

ANSSI / CERT-FR issued CERTFR-2026-AVI-0635 on 2026-05-22 covering a security-policy bypass vulnerability in SPIP (Système de Publication pour l'Internet) versions prior to 4.4.15; SPIP 4.4.15 was released the same day (SPIP blog, 2026-05-22). The advisory quotes the issue in CERT-FR's standard French: "Une vulnérabilité a été découverte dans SPIP. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité. SPIP versions antérieures à 4.4.15 sont affectées." (in English: a vulnerability allows an attacker to bypass the security policy; versions prior to 4.4.15 are affected). No CVE identifier or CVSS score is attached to the CERT-FR notice yet; no exploitation in the wild has been reported.

The SPIP project blog characterises the underlying issue specifically as an open-redirect vulnerability in the cookie action — the "policy bypass" framing in the CERT-FR advisory is the standard generic catch-all used by ANSSI, not a separate finding. SPIP is the predominant CMS across French public administration — préfectures, ministries, research institutions — and the Francophone government sphere in Belgium, Switzerland (Romandie cantonal and communal sites) and Canada. Open-redirect issues in authenticated cookie paths are typically chained into account-impersonation or token-laundering against OAuth/OpenID-Connect identity providers, so the EU/CH public-sector risk is concrete even without a CVE in the loop yet. SPIP 4.4.15 is the immediate follow-on to the earlier-May 4.4.14 security release. Detection vantage: review SPIP access logs for unexpected redirect-parameter values on the cookie-action endpoint and any outbound 30x responses to attacker-controlled hosts; defenders should also note that Swiss cantonal and communal administrations using SPIP for public portals fall under the 24-hour NCSC.ch reporting obligation for critical-infrastructure operators if a SPIP intrusion is later confirmed.

Why it matters to us: every Romandie cantonal/communal SOC with a SPIP-built portal needs to patch in this cycle; the absence of a CVE makes it easy to overlook on automated patch-track reports.