CVE-2026-59097
Received Received - Intake

Taiga Missing Authorization in Default Due-Date Records

Vulnerability report for CVE-2026-59097, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: VulnCheck

Description

Taiga before 6.10.2 contains a missing authorization vulnerability that allows unauthenticated remote attackers to create default due-date records in any project by exploiting unprotected POST endpoints on the user-story, task, and issue due-date API viewsets. Attackers can supply an arbitrary project identifier to these endpoints, which bypass permission checks and apply the AllowAny default, to pre-empt project administrators from initializing due dates by creating records before they can do so themselves.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
taiga taiga to 6.10.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59097 is a missing authorization vulnerability in Taiga versions before 6.10.2. It allows unauthenticated remote attackers to create default due-date records in any project by exploiting unprotected POST endpoints on the user-story, task, and issue due-date API viewsets.

The vulnerability exists because the 'create_default' actions in these API endpoints do not perform permission checks, allowing attackers to supply arbitrary project identifiers and bypass the required project administrator permissions.

As a result, attackers can pre-empt project administrators by creating due-date records before legitimate users can initialize them.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to interfere with project management workflows.

  • Attackers can create default due-date records in any project without authentication.
  • This can disrupt project administration by preempting project administrators from setting due dates themselves.
  • Such interference may cause confusion, mismanagement of tasks, and potential delays in project timelines.
Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the API endpoints related to due-date creation in Taiga projects. Specifically, look for POST requests to the user-story, task, and issue due-date API viewsets that include a project_id parameter.

You can use network monitoring tools or web server logs to identify such requests. For example, using curl or similar tools, you can test if the endpoints accept unauthenticated POST requests by sending a request like:

  • curl -X POST https://your-taiga-instance/api/v1/userstoryduedate/create_default/ -d 'project_id=1'
  • curl -X POST https://your-taiga-instance/api/v1/taskduedate/create_default/ -d 'project_id=1'
  • curl -X POST https://your-taiga-instance/api/v1/issueduedate/create_default/ -d 'project_id=1'

If these requests succeed without authentication or permission errors, your system is vulnerable.

Mitigation Strategies

The immediate mitigation step is to upgrade Taiga to version 6.10.2 or later, where the vulnerability has been fixed by adding proper permission checks to the affected API endpoints.

If upgrading is not immediately possible, restrict access to the affected API endpoints by implementing network-level controls such as firewall rules or API gateway restrictions to block unauthenticated POST requests to the due-date creation endpoints.

Additionally, monitor logs for suspicious POST requests to these endpoints and alert on any unauthorized attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59097. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart