[5.x]: [Craft 5] CSRF token invalidated by provisional draft creation causes 400 errors on modal actions (assets, links) for unsaved entries

[yogesh3694]

What happened?

Description

When creating a new entry and performing certain actions (opening the asset browser, inserting a link to an entry) before the entry has been saved for the first time, the following action endpoints return 400 errors:

• POST actions/element-indexes/get-elements
• POST actions/app/icon-svg

The suspected cause is that Craft 5 creates a provisional draft in the background when a new unsaved entry is opened. This appears to rotate or invalidate the CSRF token that was issued with the original page load. Subsequent action requests (such as opening a modal) are then rejected with 400 because they carry the old token.

This was introduced or changed in the Craft 5.x series.

---

Steps to reproduce

1. Create a new entry (do not save it).
2. Begin adding content to the draft — add text, use fields, etc.
3. After a few interactions, open a pop-up modal — e.g. the asset browser (add an image) or link to an entry.
4. Observe 400 responses on the above endpoints.
5. Note that some errors also occur when Live Preview is opened without saving first.

---

Expected behavior

CSRF tokens remain valid throughout an editing session for an unsaved provisional draft, so modal actions (asset browser, link picker, etc.) work correctly before the first save.

---

Actual behavior

• POST actions/element-indexes/get-elements → 400
• POST actions/app/icon-svg → 400
• The asset browser folder does not open.
• Console shows: Uncaught (in promise) undefined
• Errors begin after a few requests, typically when a modal is first triggered.

Craft CMS version

5.10.5

PHP version

8.4.10

Operating system and version

Linux 6.17.0-1017-aws

Database type and version

MySQL 8.0.44

Image driver and version

GD 8.4.10

Installed plugins and versions

1781142808277.log
1781142675392.log

[linear-code]

CMS-2196

[yogesh3694]

Hi @brandonkelly,

Just wanted to follow up on this issue as we haven't heard back yet. We are still experiencing this on Craft 5.10.5 and it is affecting our editors' workflow.

Workaround confirmed: Saving the entry before opening the asset browser or link picker does prevent the 400 errors — but this is not ideal as editors expect to be able to add images and links before their first save.

Quick recap:

• POST actions/element-indexes/get-elements → 400
• POST actions/app/icon-svg → 400
• Only occurs on unsaved provisional drafts
• Also triggered when opening Live Preview before first save
• Console logs are attached to the original report above

Could you let us know if this is on your radar or if a fix is planned? Happy to test a patch or provide any additional details.

Thank you!

[craftedsystems]

Hi, you tagged the wrong person. I'm not on the Craft CMS team.

[yogesh3694]

Hi, you tagged the wrong person. I'm not on the Craft CMS team.

Thanks for the your response, I updated the my comments.

[brandonkelly]

I’m not able to reproduce this. The only time the CSRF token is rotated is when the user session state changes (user signs in, or signs out).

Is this happening on a load-balanced environment? If so it could be that requests are getting sent to different servers, causing the user session to not persist.

Try testing locally on a simple dev environment. If you can reproduce the problem there as well, then maybe a plugin/module is somehow causing this behavior. You can send your database backup, Composer files, and any custom plugins/modules into support@craftcms.com and we can help look into it from there.

If you can’t reproduce locally, then read through Configuring Craft for Load-Balanced Environments and make sure you’re following all of our guidance there.