Taiga Back
Monthly
Unauthenticated remote attackers can create default due-date records in any Taiga project by exploiting missing authorization on POST endpoints across the user-story, task, and issue due-date API viewsets in taiga-back before 6.10.2. The endpoints default to the AllowAny permission class (CWE-862), entirely bypassing project-level access controls and accepting arbitrary project identifiers in request bodies. No active exploitation is confirmed in CISA KEV, but a publicly available exploit exists, and the attack requires zero authentication, making exploitation trivially automatable against any network-exposed Taiga instance.
Unauthenticated remote attackers can create default due-date records in any Taiga project by exploiting missing authorization on POST endpoints across the user-story, task, and issue due-date API viewsets in taiga-back before 6.10.2. The endpoints default to the AllowAny permission class (CWE-862), entirely bypassing project-level access controls and accepting arbitrary project identifiers in request bodies. No active exploitation is confirmed in CISA KEV, but a publicly available exploit exists, and the attack requires zero authentication, making exploitation trivially automatable against any network-exposed Taiga instance.