Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
PR:N confirmed by AllowAny bypass; scope unchanged and impact limited to low integrity write on due-date records only.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Taiga before 6.10.2 contains a missing authorization vulnerability that allows unauthenticated remote attackers to create default due-date records in any project by exploiting unprotected POST endpoints on the user-story, task, and issue due-date API viewsets. Attackers can supply an arbitrary project identifier to these endpoints, which bypass permission checks and apply the AllowAny default, to pre-empt project administrators from initializing due dates by creating records before they can do so themselves.
AnalysisAI
Unauthenticated remote attackers can create default due-date records in any Taiga project by exploiting missing authorization on POST endpoints across the user-story, task, and issue due-date API viewsets in taiga-back before 6.10.2. The endpoints default to the AllowAny permission class (CWE-862), entirely bypassing project-level access controls and accepting arbitrary project identifiers in request bodies. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required beyond network access to the Taiga API - the affected POST endpoints apply AllowAny by default, enabling unauthenticated exploitation against any network-reachable taiga-back instance running a version below 6.10.2. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is a fully remote, low-complexity, unauthenticated attack with no prerequisite conditions - it scores as highly automatable. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker targeting an internet-exposed Taiga deployment sends crafted POST requests to the unprotected due-date API endpoints, supplying arbitrary project identifiers enumerated from public project slugs or brute-forced. The attacker pre-populates due-date records across multiple projects before administrators can initialize them, disrupting project planning workflows. … |
| Remediation | Upgrade taiga-back to version 6.10.2, which resolves the missing authorization by enforcing project-level permission checks on the affected due-date POST endpoints; the authoritative patch is documented at https://github.com/taigaio/taiga-back/commit/f925af424623350e04d4abc45bf1dc70e70c48a9 and the release is available at https://github.com/taigaio/taiga-back/releases/tag/6.10.2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41428
GHSA-9rxg-cv94-jvcq