Skip to main content

Taiga Back

1 CVEs product

Monthly

CVE-2026-59097 MEDIUM POC PATCH This Month

Unauthenticated remote attackers can create default due-date records in any Taiga project by exploiting missing authorization on POST endpoints across the user-story, task, and issue due-date API viewsets in taiga-back before 6.10.2. The endpoints default to the AllowAny permission class (CWE-862), entirely bypassing project-level access controls and accepting arbitrary project identifiers in request bodies. No active exploitation is confirmed in CISA KEV, but a publicly available exploit exists, and the attack requires zero authentication, making exploitation trivially automatable against any network-exposed Taiga instance.

Authentication Bypass Taiga Back
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Month

Unauthenticated remote attackers can create default due-date records in any Taiga project by exploiting missing authorization on POST endpoints across the user-story, task, and issue due-date API viewsets in taiga-back before 6.10.2. The endpoints default to the AllowAny permission class (CWE-862), entirely bypassing project-level access controls and accepting arbitrary project identifiers in request bodies. No active exploitation is confirmed in CISA KEV, but a publicly available exploit exists, and the attack requires zero authentication, making exploitation trivially automatable against any network-exposed Taiga instance.

Authentication Bypass Taiga Back
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy