Description
Taskosaur is an open source project management platform with conversational AI for task execution in-app. In 1.0.0, the application does not properly validate or restrict the role parameter during the user registration process. An attacker can manually modify the request payload and assign themselves elevated privileges. Because the backend does not enforce role assignment restrictions or ignore client-supplied role parameters, the server accepts the manipulated value and creates the account with SUPER_ADMIN privileges. This allows any unauthenticated attacker to register a fully privileged administrative account.
Published: 2026-03-11
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

Taskosaur’s user registration endpoint accepts a role field from the client without validation. Because the service does not reject or modify client‑supplied role values, an attacker can craft a registration request that assigns themselves SUPER_ADMIN privileges. This results in the creation of a fully privileged account, giving the attacker complete control over the platform, including the ability to modify content, access sensitive data, and deploy malicious code. The weakness corresponds to improper authorization and identity management (CWE‑284 and CWE‑639).

Affected Systems

The vulnerability affects Taskosaur version 1.0.0. Users running this version of the Taskosaur project management platform are exposed. No other versions are currently known to be affected.

Risk and Exploitability

With a CVSS score of 9.8 the risk is critical. The exploit can be performed remotely by sending a crafted HTTP request to the public registration endpoint with no prior authentication, making exploitation straightforward for an attacker. The EPSS score of less than 1 % indicates that widespread exploitation is unlikely at present, but the vulnerability is not listed in the CISA KEV catalog, confirming it is not an actively exploited vulnerability in the wild. Nevertheless, the potential impact warrants immediate attention.

Generated by OpenCVE AI on March 20, 2026 at 17:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Taskosaur release that includes the role‑validation fix or apply the patch from commit 159a5a8f.
  • If an upgrade is not immediately possible, modify the registration handler to reject any role supplied by the client and assign only a default “User” role.
  • Add authentication or a CAPTCHA to the registration flow to impede automated account creation.
  • Monitor registration logs for anomalous role values and block suspicious IPs.

Generated by OpenCVE AI on March 20, 2026 at 17:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:taskosaur:taskosaur:1.0.0:*:*:*:*:node.js:*:*

Fri, 13 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Taskosaur
Taskosaur taskosaur
Vendors & Products Taskosaur
Taskosaur taskosaur

Wed, 11 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description Taskosaur is an open source project management platform with conversational AI for task execution in-app. In 1.0.0, the application does not properly validate or restrict the role parameter during the user registration process. An attacker can manually modify the request payload and assign themselves elevated privileges. Because the backend does not enforce role assignment restrictions or ignore client-supplied role parameters, the server accepts the manipulated value and creates the account with SUPER_ADMIN privileges. This allows any unauthenticated attacker to register a fully privileged administrative account.
Title Taskosaur Improper Role Assignment via Parameter Manipulation in User Registration
Weaknesses CWE-284
CWE-639
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Taskosaur Taskosaur
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T20:08:36.826Z

Reserved: 2026-03-09T19:02:25.014Z

Link: CVE-2026-31874

cve-icon Vulnrichment

Updated: 2026-03-12T20:08:34.013Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T19:16:03.970

Modified: 2026-03-20T16:12:08.773

Link: CVE-2026-31874

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:55:18Z

Weaknesses