Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Network-reachable IDOR with low complexity, but reaching other users' data realistically needs an authenticated session (PR:L); read-only exposure yields C:H, I:N, A:N.
Primary rating from Vendor (3DS).
CVSS VectorVendor: 3DS
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
An Authorization Bypass Through User-Controlled Key vulnerability affecting Tuleap Enterprise Edition from 17.0 through 17.5 could allow an attacker to access data of other users without authorization.
AnalysisAI
Insecure direct object reference (IDOR) in Dassault Systèmes Tuleap Enterprise Edition 17.0 through 17.5 lets attackers read other users' data by manipulating a user-controlled key/identifier, breaking horizontal authorization boundaries. The CVSS 3.1 vector (AV:N/PR:N) scores it as remotely reachable with high confidentiality impact but no integrity or availability effect. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation targets a Tuleap Enterprise Edition (17.0-17.5) endpoint that fetches data using a client-supplied object key (an artifact, record, user, or resource identifier) without verifying the requester's ownership of that object; the attacker must be able to reach the affected endpoint over the network and supply or enumerate valid identifiers belonging to other users. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Severity is driven entirely by confidentiality: CVSS 3.1 base 7.5 comes from C:H with I:N/A:N, meaning read-only data exposure and no ability to modify or disrupt. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with (likely) a low-privilege Tuleap account issues API or web requests to a data-retrieval endpoint, substituting the object identifier tied to their own account with identifiers belonging to other users or projects. Because the server trusts the user-supplied key without an ownership check, it returns data the attacker should not see, and iterating through IDs enables bulk harvesting of other users' information. … |
| Remediation | Patch available per vendor advisory: upgrade Tuleap Enterprise Edition to a fixed release above 17.5 as directed in the 3DS advisory at https://www.3ds.com/trust-center/security/security-advisories/cve-2026-14165 (an exact fixed version was not included in the provided data, so confirm the target release with the advisory before deploying). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit all Tuleap Enterprise Edition deployments to identify instances running versions 17.0-17.5, enable comprehensive access logging at the application and database layer, and create full encrypted backups. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43300
GHSA-8q3h-3r8x-274j