CVE-2026-31874 — CRITICAL (9.8)

Vulnerability Description

Taskosaur is an open source project management platform with conversational AI for task execution in-app. In 1.0.0, the application does not properly validate or restrict the role parameter during the user registration process. An attacker can manually modify the request payload and assign themselves elevated privileges. Because the backend does not enforce role assignment restrictions or ignore client-supplied role parameters, the server accepts the manipulated value and creates the account with SUPER_ADMIN privileges. This allows any unauthenticated attacker to register a fully privileged administrative account.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Taskosaur	Taskosaur	1.0.0

Related Weaknesses (CWE)

CWE-639 CWE-284

References

https://github.com/Taskosaur/Taskosaur/commit/159a5a8f43761561100a57d34309830550Patch
https://github.com/Taskosaur/Taskosaur/security/advisories/GHSA-r6gj-4663-p5mrExploitVendor Advisory

FAQ

What is CVE-2026-31874?

CVE-2026-31874 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Taskosaur is an open source project management platform with conversational AI for task execution in-app. In 1.0.0, the application does not properly validate or restrict the role parameter during the...

How severe is CVE-2026-31874?

CVE-2026-31874 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-31874?

Check the references section above for vendor advisories and patch information. Affected products include: Taskosaur Taskosaur.