OWASP DefectDojo CVE-2026-7510
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was determined in OWAP DefectDojo up to 2.55.4. Affected by this vulnerability is an unknown functionality of the component Benchmark/Engagement/Product/Survey. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.56.0 addresses this issue. This patch is called eb6120a379185d37eb1af17b69bb5614a830ab1f. Upgrading the affected component is recommended.
AnalysisAI
Authorization bypass in OWASP DefectDojo up to version 2.55.4 allows authenticated users to manipulate objects in Benchmark, Engagement, Product, and Survey components by directly accessing resources via unvalidated object IDs, bypassing ownership checks. The vulnerability affects multiple endpoints that retrieve objects without verifying the requesting user has authorization to access the specific resource, enabling lateral privilege escalation and unauthorized data modification. Publicly disclosed exploit code exists, and the vulnerability requires network access with valid authentication credentials to exploit.
Technical ContextAI
The vulnerability stems from insecure direct object references (IDOR) in Django view functions across multiple DefectDojo modules. The root cause is CWE-285 (Improper Authorization), specifically the absence of ownership validation when retrieving database objects. Django's get_object_or_404() function retrieves objects by ID alone without filtering by the authenticated user or owning entity. The affected views include benchmark product summaries, engagement risk acceptance records, product engagement presets, and survey responses. The patch (commit eb6120a379185d37eb1af17b69bb5614a830ab1f) adds ownership filters using Django ORM queryset filtering-for example, changing from get_object_or_404(Benchmark_Product, id=bench_id) to get_object_or_404(Benchmark_Product.objects.filter(product=product), id=bench_id)-ensuring objects are only retrievable if they belong to the expected parent entity. This pattern is applied consistently across benchmark/views.py, engagement/views.py, product/views.py, and survey/views.py.
Affected ProductsAI
OWASP DefectDojo versions up to and including 2.55.4 are affected. The vulnerability is present in the benchmark, engagement, product, and survey management modules. Vendor-released patch: version 2.56.0 and later. The fix is also available via GitHub commit eb6120a379185d37eb1af17b69bb5614a830ab1f and pull request #14375.
RemediationAI
Upgrade OWASP DefectDojo to version 2.56.0 or later immediately. The patch adds ownership and relationship validation to all affected view functions, preventing unauthorized access to benchmark summaries, engagement risk acceptances, product presets, and survey responses. No workarounds are available for unpatched versions; the vulnerability is fundamental to the view logic and cannot be mitigated via configuration. If immediate upgrading is not feasible, restrict DefectDojo access to a single team or product owner and implement network-level access controls limiting user accounts that can authenticate. However, these compensating controls are imperfect-they reduce blast radius but do not eliminate the vulnerability. Upgrade is the only complete remediation. See GitHub release 2.56.0 and commit eb6120a379185d37eb1af17b69bb5614a830ab1f for patch details.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today