CVE-2026-31874
Published: 11 March 2026
Description
Taskosaur is an open source project management platform with conversational AI for task execution in-app. In 1.0.0, the application does not properly validate or restrict the role parameter during the user registration process. An attacker can manually modify the request…
more
payload and assign themselves elevated privileges. Because the backend does not enforce role assignment restrictions or ignore client-supplied role parameters, the server accepts the manipulated value and creates the account with SUPER_ADMIN privileges. This allows any unauthenticated attacker to register a fully privileged administrative account.
Mitigating Controls (NIST 800-53 r5)AI
AC-2 requires establishing conditions for role membership and specifying access authorizations during account creation, directly preventing attackers from self-assigning elevated privileges like SUPER_ADMIN during registration.
SI-10 mandates validation of information inputs such as the role parameter, blocking manipulated client-supplied values that bypass authorization during user registration.
AC-3 enforces approved authorizations server-side, ensuring the backend ignores or rejects unauthorized client-specified roles instead of accepting them for new accounts.
Security SummaryAI
CVE-2026-31874 is a high-severity vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting Taskosaur version 1.0.0, an open source project management platform featuring conversational AI for in-app task execution. The issue stems from improper validation and restriction of the role parameter during the user registration process (CWE-284: Improper Access Control; CWE-639: Authorization Bypass Through User-Controlled Key). The backend fails to enforce role assignment restrictions or ignore client-supplied values, allowing manipulated inputs to be accepted without server-side checks.
Any unauthenticated attacker can exploit this vulnerability by intercepting and modifying the registration request payload to specify elevated privileges, such as SUPER_ADMIN. Upon submission, the server creates the account with the requested role, granting the attacker full administrative access to the platform, including potential control over tasks, users, and AI-driven features.
Mitigation is addressed in a patch via GitHub commit 159a5a8f43761561100a57d34309830550028932. Additional details on the vulnerability, affected versions, and remediation steps are available in the GitHub Security Advisory GHSA-r6gj-4663-p5mr. Security practitioners should upgrade to a patched version and review registration endpoints for similar client-controlled authorization bypasses.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- Matched keywords: ai
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote exploitation of a public-facing web application's registration endpoint by manipulating the role parameter to gain SUPER_ADMIN privileges.