Description
Tuleap is an Open Source Suite for management of software development and collaboration. Tuleap is missing CSRF protection in the Overview inconsistent items. An attacker could use this vulnerability to trick victims into repairing inconsistent items (creating artifact links from the release). This vulnerability is fixed in Tuleap Community Edition 17.0.99.1768924735 and Tuleap Enterprise Edition 17.2-5, 17.1-6, and 17.0-9.
Published: 2026-02-02
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized artifact link creation via CSRF
Action: Apply Patch
AI Analysis

Impact

The flaw is a missing CSRF protection on the Overview inconsistent items interface, allowing an attacker to trick a user into resolving item inconsistencies while simultaneously creating new artifact links from a release. This alters project data without the user’s intent and is a classic Cross‑Site Request Forgery (CWE‑352).

Affected Systems

Enalean Tuleap Community Edition 17.0.99.1768924735 and newer, and Enterprise Editions 17.2‑5, 17.1‑6, or 17.0‑9 and newer are fixed; all earlier releases across community and enterprise distributions remain susceptible.

Risk and Exploitability

The CVSS score of 4.6 classifies the vulnerability as moderate, while the EPSS score of less than 1% indicates a low likelihood of current exploitation. It is not listed in CISA’s KEV catalog. Exploitation would require a victim to click a malicious link or form, implying a user‑interaction vector that an attacker typically achieves through phishing or social engineering. The potential impact of unauthorized link creation could disrupt release workflows and data integrity, justifying prompt remediation.

Generated by OpenCVE AI on April 18, 2026 at 18:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tuleap to Community Edition 17.0.99.1768924735 or later, or Enterprise Edition 17.2‑5, 17.1‑6, or 17.0‑9 and newer
  • If an upgrade is not feasible, disable the Overview inconsistent items feature or restrict user permissions for artifact link creation
  • Educate users on phishing tactics and implement CSRF token verification checks to mitigate inadvertent exploitation

Generated by OpenCVE AI on April 18, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:enalean:tuleap:*:*:*:*:community:*:*:*
cpe:2.3:a:enalean:tuleap:*:*:*:*:enterprise:*:*:*

Wed, 04 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Enalean
Enalean tuleap
Vendors & Products Enalean
Enalean tuleap

Tue, 03 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description Tuleap is an Open Source Suite for management of software development and collaboration. Tuleap is missing CSRF protection in the Overview inconsistent items. An attacker could use this vulnerability to trick victims into repairing inconsistent items (creating artifact links from the release). This vulnerability is fixed in Tuleap Community Edition 17.0.99.1768924735 and Tuleap Enterprise Edition 17.2-5, 17.1-6, and 17.0-9.
Title Tuleap is missing CSRF protection in the Overview inconsistent items
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L'}

Subscriptions

Enalean Tuleap
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-03T14:56:49.087Z

Reserved: 2026-01-19T18:49:20.660Z

Link: CVE-2026-24007

cve-icon Vulnrichment

Updated: 2026-02-03T14:56:43.872Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T23:16:07.500

Modified: 2026-02-23T20:29:40.347

Link: CVE-2026-24007

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:45:05Z

Weaknesses