Taiga before 6.10.2 contains a missing authorization vulnerability that allows unauthenticated remote attackers to create default due-date records in any project by exploiting unprotected POST endpoints on the user-story, task, and issue due-date API viewsets. Attackers can supply an arbitrary project identifier to these endpoints, which bypass permission checks and apply the AllowAny default, to pre-empt project administrators from initializing due dates by creating records before they can do so themselves.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Thu, 02 Jul 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Taiga before 6.10.2 contains a missing authorization vulnerability that allows unauthenticated remote attackers to create default due-date records in any project by exploiting unprotected POST endpoints on the user-story, task, and issue due-date API viewsets. Attackers can supply an arbitrary project identifier to these endpoints, which bypass permission checks and apply the AllowAny default, to pre-empt project administrators from initializing due dates by creating records before they can do so themselves. | |
| Title | Taiga < 6.10.2 - Unauthorized Due-Date Creation via API Viewsets | |
| First Time appeared |
Taiga
Taiga taiga |
|
| Weaknesses | CWE-862 | |
| CPEs | cpe:2.3:a:taiga:taiga:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Taiga
Taiga taiga |
|
| References |
|
|
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-02T19:42:04.588Z
Reserved: 2026-07-02T15:38:18.929Z
Link: CVE-2026-59097
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses