CVE Catalog

CVE-2026-59097

MediumCVSS 5.3
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.34%

26th percentile — higher than 26% of all known CVEs

Summary

Taiga before version 6.10.2 contains a missing authorization vulnerability that allows unauthenticated remote attackers to create default due-date records in any project by exploiting unprotected POST endpoints on the user-story, task, and issue due-date API viewsets. Attackers can supply an arbitrary project identifier to these endpoints, bypassing permission checks and applying the AllowAny default, to pre-empt project administrators from initializing due dates.

Risk Assessment

The risk is that an attacker can disrupt the due-date management process in projects, preventing administrators from properly setting default dates, potentially leading to organizational chaos and delays.

Recommendation

Immediately upgrade Taiga to version 6.10.2 or later, which includes a fix for the missing authorization vulnerability in the API endpoints.

Original NVD description (English source)

Taiga before 6.10.2 contains a missing authorization vulnerability that allows unauthenticated remote attackers to create default due-date records in any project by exploiting unprotected POST endpoints on the user-story, task, and issue due-date API viewsets. Attackers can supply an arbitrary project identifier to these endpoints, which bypass permission checks and apply the AllowAny default, to pre-empt project administrators from initializing due dates by creating records before they can do so themselves.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS