CVE-2026-24007

Published: Feb 2, 2026Modified: Feb 23, 2026

4.6

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

Exploitability: 2.1 / Impact: 2.5

Source: security-advisories@github.com (Secondary)

Description

Tuleap is an Open Source Suite for management of software development and collaboration. Tuleap is missing CSRF protection in the Overview inconsistent items. An attacker could use this vulnerability to trick victims into repairing inconsistent items (creating artifact links from the release). This vulnerability is fixed in Tuleap Community Edition 17.0.99.1768924735 and Tuleap Enterprise Edition 17.2-5, 17.1-6, and 17.0-9.

Affected (4)

Products: Enalean: Tuleap

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Enalean Tuleap	Before 17.0.99.1768924735
Enalean Tuleap	Before 17.0-9
Enalean Tuleap	From 17.1 to 17.1-6
Enalean Tuleap	From 17.2 to 17.2-5

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (4)

https://github.com/Enalean/tuleap/commit/5ec5e81e409892fe0e41f11d5d36ee6c85a6fbb5

Source: security-advisories@github.com

Patch

https://github.com/Enalean/tuleap/security/advisories/GHSA-7g48-rwqj-ffxw

Source: security-advisories@github.com

PatchVendor Advisory

https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=5ec5e81e409892fe0e41f11d5d36ee6c85a6fbb5

Source: security-advisories@github.com

Broken Link

https://tuleap.net/plugins/tracker/?aid=46389

Source: security-advisories@github.com

Issue Tracking

Timeline

No history available yet.