Critical CSRF Gap Exposes API Mutation Endpoints to Forced-Action Attacks

A security disclosure flags multiple state-mutating REST API endpoints under `/api/v1/` for lacking Cross-Site Request Forgery (CSRF) protection when default configurations are in use. The vulnerability, classified as high severity, affects dashboard save, chart update, and dataset delete operations—core administrative functions that, if compromised, could allow an authenticated administrator to unknowingly execute unintended changes via a third-party website.

The root cause centers on the `WTF_CSRF_ENABLED` configuration flag defaulting to `False`. Under this setting, three endpoints—`POST /api/v1/dashboard/`, `PUT /api/v1/chart/{id}`, and `DELETE /api/v1/dataset/{id}`—skip token validation entirely. An attacker could craft a malicious page that triggers these requests while the admin is logged in, effectively forcing the victim's session to perform state changes without consent.

Security researchers are urging that CSRF validation be enforced by default across all mutation endpoints rather than left to operator configuration. The recommended remediation includes making `WTF_CSRF_ENABLED = True` a non-negotiable default, adding dedicated middleware to intercept requests lacking valid tokens, and explicitly documenting the security risk of disabling CSRF in `config.py`. Until patches land, any deployment relying on out-of-the-box settings faces elevated exposure. The issue aligns with attack patterns outlined in the OWASP CSRF Prevention Cheat Sheet.