MEDIUM 5.3

CVE-2026-38978: Transmission Clickjacking Vulnerability in WebUI and RPC Paths

Transmission, a popular BitTorrent application, contains a clickjacking vulnerability affecting versions up to and including 4.1.1. The flaw allows an attacker to trick users into performing unintended actions through the application's web interface or RPC (remote procedure call) endpoints by overlaying malicious content on top of legitimate interface elements. This requires user interaction but does not require the attacker to be authenticated or have any special privileges to exploit.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-113
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

transmission through 4.1.1 was found to have a clickjacking weakness in the browser-facing WebUI and RPC response paths.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-38978 is a clickjacking vulnerability (CWE-113) in Transmission that affects the browser-facing WebUI and RPC response paths. The vulnerability has a CVSS 3.1 score of 5.3 (MEDIUM severity) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, no privilege requirement, no authentication needed, but user interaction is a prerequisite. The vulnerability is confined to the user session context (unchanged security scope) and results in integrity impact only—attackers cannot gain elevated access or trigger denial of service.

Business impact

Clickjacking vulnerabilities can lead to unauthorized configuration changes, credential harvesting, or manipulation of torrent operations without user awareness. In a Transmission deployment, an attacker could trick users into modifying download directories, altering bandwidth settings, adding malicious torrent sources, or exposing sensitive RPC credentials. This is particularly concerning in organizations or shared hosting environments where Transmission manages critical data transfers. The integrity impact is limited to the user's session, but coordinated exploitation across multiple users could affect operational reliability.

Affected systems

Transmission versions through 4.1.1 are affected. The vulnerability exists in both the browser-based WebUI and RPC response handling paths, meaning exposure depends on whether these interfaces are accessible—either through local web access or remote RPC listeners. Systems running older Transmission versions or those with the WebUI/RPC publicly exposed face higher risk.

Exploitability

This is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not been widely reported or confirmed at publication. However, clickjacking attacks are relatively straightforward to construct and do not require complex tooling. The attack surface is broad since it requires only network access and user interaction; no special configuration or privilege escalation is needed. The low attack complexity means a motivated attacker can craft a reliable exploit with minimal setup.

Remediation

Update Transmission to a patched version released after 4.1.1. Verify the exact patched version against the official Transmission project advisory or release notes. Additionally, restrict access to the WebUI and RPC endpoints to trusted networks only; do not expose these interfaces directly to the internet without authentication and encryption (HTTPS/TLS). Implement X-Frame-Options headers (DENY or SAMEORIGIN) on the WebUI to provide defense-in-depth against framing attacks.

Patch guidance

Consult the official Transmission project repository and security advisories for the version that addresses CVE-2026-38978. Apply patches as soon as testing permits, prioritizing systems where the WebUI or RPC is exposed or accessible from untrusted networks. Verify the patch is installed by checking the application version and confirming that security headers are present in WebUI responses.

Detection guidance

Monitor for unexpected changes to Transmission settings, download directories, or bandwidth configurations that occur without user action or logged administrator changes. Review HTTP access logs to the WebUI for unusual referrer patterns or cross-origin requests that may indicate framing attempts. In RPC-enabled environments, audit RPC call logs for suspicious commands originating from unexpected sources. Monitor network traffic for signs of clickjacking payloads or iframes embedding the Transmission interface.

Why prioritize this

Although the CVSS score is moderate (5.3), the vulnerability warrants prompt patching because it affects integrity in a data-transfer critical application, requires only network access and user interaction to exploit, and is not defended by default in most deployments. Organizations relying on Transmission for regulated or sensitive data transfers should treat this as higher priority. The lack of KEV listing does not diminish urgency, as clickjacking techniques are well-established and easy to weaponize.

Risk score, explained

The CVSS 3.1 score of 5.3 reflects a network-accessible, low-complexity attack that requires user interaction but results in integrity compromise without confidentiality loss or availability impact. The score appropriately captures that this is a UI-level manipulation attack rather than a code execution or authentication bypass. Organizations should not treat MEDIUM severity as low-risk; integrity violations in configuration and file handling can have cascading business consequences.

Frequently asked questions

Does this vulnerability allow remote code execution?

No. This is a clickjacking vulnerability limited to integrity impact. An attacker cannot execute arbitrary code, gain shell access, or crash the application. They can only trick users into performing unintended actions via the WebUI or RPC interface.

Do I need to be authenticated to exploit this vulnerability?

No authentication is required to craft or deliver a clickjacking attack. However, the victim user (who is typically authenticated to Transmission) must be tricked into visiting a malicious webpage or clicking a specially crafted link. The vulnerability exploits trust in the UI, not a missing authentication check.

Why is this vulnerability not on CISA's KEV list?

Inclusion on the Known Exploited Vulnerabilities catalog indicates confirmed active exploitation in the wild. This vulnerability was not on that list at publication, which may reflect limited public disclosure or exploitation activity at the time. This does not mean the vulnerability is safe to ignore; organizations should still patch promptly.

How can I reduce risk if I cannot patch immediately?

Restrict network access to the Transmission WebUI and RPC endpoints to trusted IPs only. Use a firewall to block external connections, or place Transmission behind a reverse proxy that enforces authentication and encryption. Educate users to avoid clicking suspicious links while Transmission sessions are active.

This analysis is provided for informational purposes and reflects the state of publicly available information as of the publication date. SEC.co does not guarantee the accuracy of vendor patch information or KEV status beyond the official sources cited. Organizations must verify patch availability and compatibility with their specific environment before deployment. This document does not constitute legal advice or a substitute for professional security consultation. Consult official vendor advisories and security bulletins for definitive remediation guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).