CVE-2026-24007
CSRF Vulnerability in Tuleap Overview Allows Unauthorized Item Modification
Publication date: 2026-02-02
Last updated on: 2026-02-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| enalean | tuleap | to 17.0.99.1768924735 (exc) |
| enalean | tuleap | to 17.0-9 (exc) |
| enalean | tuleap | From 17.1 (inc) to 17.1-6 (exc) |
| enalean | tuleap | From 17.2 (inc) to 17.2-5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Tuleap is a missing Cross-Site Request Forgery (CSRF) protection in the Overview inconsistent items feature. An attacker could exploit this by tricking a victim into performing unintended actions, specifically repairing inconsistent items by creating artifact links from the release, without the victim's consent.
How can this vulnerability impact me? :
The vulnerability could allow an attacker to manipulate the Tuleap system by causing users to unknowingly repair inconsistent items, potentially leading to unauthorized changes in artifact links. This could affect the integrity of project data and collaboration workflows.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Tuleap to the fixed versions: Tuleap Community Edition 17.0.99.1768924735 or Tuleap Enterprise Edition 17.2-5, 17.1-6, or 17.0-9. Applying these updates will restore CSRF protection and prevent attackers from exploiting the inconsistent items overview.