← Back

CVE-2026-31874

nvd nist
Published: Mar 11, 2026Modified: Mar 20, 2026

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: security-advisories@github.com (Secondary)

Description

Taskosaur is an open source project management platform with conversational AI for task execution in-app. In 1.0.0, the application does not properly validate or restrict the role parameter during the user registration process. An attacker can manually modify the request payload and assign themselves elevated privileges. Because the backend does not enforce role assignment restrictions or ignore client-supplied role parameters, the server accepts the manipulated value and creates the account with SUPER_ADMIN privileges. This allows any unauthenticated attacker to register a fully privileged administrative account.

Affected (1)

Products: Taskosaur: Taskosaur
Taskosaur
1 product
Taskosaur
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Taskosaur
Version 1.0.0

Related CWEs

CWE-284
Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-639
Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (2)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
ExploitVendor Advisory

Timeline

No history available yet.