The vulnerability in the GNU Savannah Administration Savane application up to version 3.17 arises when untrusted data is used as part of the authorization process. This flaw permits attackers to manipulate the authentication flow, potentially granting unauthorized access to restricted areas or elevating privileges. The weakness corresponds to CWE-696, which describes incorrect validation that impacts security controls.

All instances of GNU Savannah Savane running version 3.17 or earlier are affected. The free software project management system is distributed by the GNU project and is commonly used in open‑source development environments.

The CVSS score of 3.7 indicates moderate risk. No EPSS score is available, so the likelihood of active exploitation is uncertain. The vulnerability is not listed in CISA’s KEV catalog. Attackers are likely able to trigger the flaw by submitting crafted data through the web interface, though the exact attack vector is not explicitly described in the advisory, so it is inferred that remote input could be used to exploit the authorization check.