CVE-2026-31874
Published: 11 March 2026
Summary
CVE-2026-31874 is a critical-severity Improper Access Control (CWE-284) vulnerability in Taskosaur Taskosaur. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Not Applicable risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-31874 is a high-severity vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting Taskosaur version 1.0.0, an open source project management platform featuring conversational AI for in-app task execution. The issue stems from improper validation and restriction of the role parameter during the user registration process (CWE-284: Improper Access Control; CWE-639: Authorization Bypass Through User-Controlled Key). The backend fails to enforce role assignment restrictions or ignore client-supplied values, allowing manipulated inputs to be accepted without server-side checks.
Any unauthenticated attacker can exploit this vulnerability by intercepting and modifying the registration request payload to specify elevated privileges, such as SUPER_ADMIN. Upon submission, the server creates the account with the requested role, granting the attacker full administrative access to the platform, including potential control over tasks, users, and AI-driven features.
Mitigation is addressed in a patch via GitHub commit 159a5a8f43761561100a57d34309830550028932. Additional details on the vulnerability, affected versions, and remediation steps are available in the GitHub Security Advisory GHSA-r6gj-4663-p5mr. Security practitioners should upgrade to a patched version and review registration endpoints for similar client-controlled authorization bypasses.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11284
Vulnerability details
Taskosaur is an open source project management platform with conversational AI for task execution in-app. In 1.0.0, the application does not properly validate or restrict the role parameter during the user registration process. An attacker can manually modify the request…
more
payload and assign themselves elevated privileges. Because the backend does not enforce role assignment restrictions or ignore client-supplied role parameters, the server accepts the manipulated value and creates the account with SUPER_ADMIN privileges. This allows any unauthenticated attacker to register a fully privileged administrative account.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Not Applicable
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote exploitation of a public-facing web application's registration endpoint by manipulating the role parameter to gain SUPER_ADMIN privileges.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-2 requires establishing conditions for role membership and specifying access authorizations during account creation, directly preventing attackers from self-assigning elevated privileges like SUPER_ADMIN during registration.
SI-10 mandates validation of information inputs such as the role parameter, blocking manipulated client-supplied values that bypass authorization during user registration.
AC-3 enforces approved authorizations server-side, ensuring the backend ignores or rejects unauthorized client-specified roles instead of accepting them for new accounts.