Cyber Resilience

CVE-2026-31874

CriticalPublic PoC

Published: 11 March 2026

Published
11 March 2026
Modified
20 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0064 45.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-31874 is a critical-severity Improper Access Control (CWE-284) vulnerability in Taskosaur Taskosaur. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Not Applicable risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-31874 is a high-severity vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting Taskosaur version 1.0.0, an open source project management platform featuring conversational AI for in-app task execution. The issue stems from improper validation and restriction of the role parameter during the user registration process (CWE-284: Improper Access Control; CWE-639: Authorization Bypass Through User-Controlled Key). The backend fails to enforce role assignment restrictions or ignore client-supplied values, allowing manipulated inputs to be accepted without server-side checks.

Any unauthenticated attacker can exploit this vulnerability by intercepting and modifying the registration request payload to specify elevated privileges, such as SUPER_ADMIN. Upon submission, the server creates the account with the requested role, granting the attacker full administrative access to the platform, including potential control over tasks, users, and AI-driven features.

Mitigation is addressed in a patch via GitHub commit 159a5a8f43761561100a57d34309830550028932. Additional details on the vulnerability, affected versions, and remediation steps are available in the GitHub Security Advisory GHSA-r6gj-4663-p5mr. Security practitioners should upgrade to a patched version and review registration endpoints for similar client-controlled authorization bypasses.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Taskosaur is an open source project management platform with conversational AI for task execution in-app. In 1.0.0, the application does not properly validate or restrict the role parameter during the user registration process. An attacker can manually modify the request…

more

payload and assign themselves elevated privileges. Because the backend does not enforce role assignment restrictions or ignore client-supplied role parameters, the server accepts the manipulated value and creates the account with SUPER_ADMIN privileges. This allows any unauthenticated attacker to register a fully privileged administrative account.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Not Applicable
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables unauthenticated remote exploitation of a public-facing web application's registration endpoint by manipulating the role parameter to gain SUPER_ADMIN privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40252Shared CWE-284, CWE-639
CVE-2026-41277Shared CWE-284, CWE-639
CVE-2026-45398Shared CWE-639
CVE-2026-41947Shared CWE-639
CVE-2025-41258Shared CWE-284
CVE-2026-21447Shared CWE-284, CWE-639
CVE-2026-4503Shared CWE-639
CVE-2026-30855Shared CWE-284
CVE-2026-25758Shared CWE-284, CWE-639
CVE-2025-62166Shared CWE-284, CWE-639

Affected Assets

taskosaur
taskosaur
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-2 requires establishing conditions for role membership and specifying access authorizations during account creation, directly preventing attackers from self-assigning elevated privileges like SUPER_ADMIN during registration.

prevent

SI-10 mandates validation of information inputs such as the role parameter, blocking manipulated client-supplied values that bypass authorization during user registration.

prevent

AC-3 enforces approved authorizations server-side, ensuring the backend ignores or rejects unauthorized client-specified roles instead of accepting them for new accounts.

References