CVE-2026-31874

CRITICAL 9.8

Taskosaur Improper Role Assignment via Parameter Manipulation in User Registration

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

Taskosaur is an open source project management platform with conversational AI for task execution in-app. In 1.0.0, the application does not properly validate or restrict the role parameter during the user registration process. An attacker can manually modify the request payload and assign themselves elevated privileges. Because the backend does not enforce role assignment restrictions or ignore client-supplied role parameters, the server accepts the manipulated value and creates the account with SUPER_ADMIN privileges. This allows any unauthenticated attacker to register a fully privileged administrative account.

CWE	CWE-284 CWE-639
Vendor	taskosaur
Product	taskosaur
Published	Mar 11, 2026
Last Updated	Mar 12, 2026

Stay Ahead of the Next One

Get instant alerts for taskosaur taskosaur

Be the first to know when new critical vulnerabilities affecting taskosaur taskosaur are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Taskosaur / Taskosaur

1.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Taskosaur/Taskosaur/security/advisories/GHSA-r6gj-4663-p5mr github.com: https://github.com/Taskosaur/Taskosaur/commit/159a5a8f43761561100a57d34309830550028932