CVE-2026-10285
Deferred Deferred - Pending Action
Improper Authorization in DevaslanPHP Project-Management

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: VulDB

Description
A vulnerability has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this issue is the function KanbanScrumHelper::recordUpdated of the file app/Helpers/KanbanScrumHelper.php of the component Ticket Handler. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-22
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-20
NVD
CVE-2026-10285
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
devaslanphp project-management to 2.0.0-beta1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the DevaslanPHP project-management software up to version 2.0.0-beta1. It affects the function KanbanScrumHelper::recordUpdated within the Ticket Handler component. The issue is due to improper authorization, which means that the system does not correctly verify if a user has permission to perform certain actions. This flaw can be exploited remotely by an attacker.

Compliance Impact

The vulnerability in DevaslanPHP project-management involves improper authorization allowing cross-project ticket status manipulation and unauthorized access or modification of tickets, comments, timesheets, and epics. Such unauthorized access and data manipulation can lead to violations of data protection principles required by standards like GDPR and HIPAA, which mandate strict access controls and data integrity.

Specifically, the lack of ownership verification and missing authorization checks could result in unauthorized users accessing or altering sensitive project data, potentially exposing personal or sensitive information. This undermines compliance with regulations that require ensuring confidentiality, integrity, and proper authorization of data access.

Therefore, until the recommended fixesβ€”such as adding authorization checks and scoping data accessβ€”are implemented, the vulnerability poses a risk to compliance with common standards and regulations that emphasize data security and privacy.

Detection Guidance

Detection of this vulnerability involves identifying unauthorized or improper authorization attempts related to the KanbanScrumHelper::recordUpdated function in the DevaslanPHP project-management system.

Since the vulnerability allows remote manipulation of ticket statuses across projects without verifying ownership or membership, monitoring for unusual or unauthorized changes to ticket statuses or cross-project ticket modifications can help detect exploitation attempts.

Specific commands are not provided in the available resources, but general approaches include:

  • Review application logs for calls to the `recordUpdated()` function or related API endpoints that handle ticket status updates.
  • Use web application firewall (WAF) or intrusion detection system (IDS) rules to flag requests that attempt to update tickets in projects where the user is not a member.
  • Audit database logs for unexpected changes in ticket statuses or cross-project ticket modifications.

Without specific exploit code or signatures, detection relies on monitoring authorization failures or suspicious activity patterns related to ticket updates.

Mitigation Strategies

Immediate mitigation steps focus on restricting unauthorized access and adding proper authorization checks.

  • Implement authorization checks in the `recordUpdated()` function to verify project membership and ownership before allowing ticket status updates.
  • Review and update delete policies for Tickets, Projects, and Sprints to ensure ownership verification is enforced.
  • Add ownership checks to comment edit and delete functions to prevent unauthorized modifications.
  • Create and enforce a dedicated policy for Timesheet resources to restrict unauthorized access.
  • Scope dashboard queries to only include tickets from projects the user is a member of, preventing cross-project data leakage.

Since the project has not yet responded with a patch, applying these authorization controls manually or restricting access to affected components until a fix is available is recommended.

Impact Analysis

The vulnerability can lead to unauthorized actions being performed within the affected software. Although it does not impact confidentiality, it can affect the integrity and availability of the system, meaning attackers could potentially alter data or disrupt service. The CVSS v3.1 score of 5.4 indicates a medium severity level, with the attack being remotely exploitable and requiring low complexity but some privileges.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10285. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart