CVE-2026-31874
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
Taskosaur is an open source project management platform with conversational AI for task execution in-app. In 1.0.0, the application does not properly validate or restrict the role parameter during the user registration process. An attacker can manually modify the request payload and assign themselves elevated privileges. Because the backend does not enforce role assignment restrictions or ignore client-supplied role parameters, the server accepts the manipulated value and creates the account with SUPER_ADMIN privileges. This allows any unauthenticated attacker to register a fully privileged administrative account.
Analysis
Missing auth in Taskosaur project management 1.0.0.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Disable new user registration in Taskosaur 1.0.0 or restrict registration to trusted IP ranges; audit all user accounts created in the past 30 days for unauthorized privilege escalation. Within 7 days: Conduct a comprehensive access control review of all existing user roles and permissions; implement network segmentation to limit Taskosaur's lateral movement capabilities. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today