Plateforme
php
Composant
tuleap
Corrigé dans
17.0.100
CVE-2026-24007 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in Tuleap, an open-source software suite for managing software development and collaboration. This flaw allows an attacker to potentially manipulate Tuleap's functionality by tricking authenticated users into performing unintended actions, specifically related to repairing inconsistent items and creating artifact links. The vulnerability affects versions of Tuleap up to and including 17.0.99.1768924735, with fixes available in later releases.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized modification of Tuleap's data and configuration. An attacker could craft malicious links or embed requests within legitimate websites to exploit this flaw. Successful exploitation could lead to the creation of artifact links from releases without proper authorization, potentially introducing malicious code or misrepresenting project status. While the direct impact might seem limited to artifact management, it could be leveraged to gain a deeper understanding of the software development process or even disrupt workflows within the Tuleap environment. The blast radius depends on the level of access granted to users within Tuleap; users with higher privileges could cause more significant damage.
CVE-2026-24007 was publicly disclosed on 2026-02-02. There is currently no indication of active exploitation or a KEV listing. No public proof-of-concept (PoC) code has been released. The vulnerability's CVSS score of 4.6 (MEDIUM) suggests a moderate probability of exploitation, particularly if attackers gain access to users' Tuleap sessions or can trick them into clicking malicious links.
Organizations utilizing Tuleap for software development and collaboration are at risk, particularly those relying on older, unpatched versions. Shared hosting environments where multiple users share the same Tuleap instance are also at increased risk, as an attacker could potentially exploit the vulnerability through a compromised user account.
• php: Examine Tuleap application logs for unusual requests related to artifact link creation or inconsistent item repair. Look for POST requests originating from external domains or with unexpected parameters.
grep -i 'artifact link|inconsistent item' /var/log/apache2/access.log• generic web: Monitor Tuleap's access logs for requests containing suspicious parameters or originating from unusual IP addresses. Use a WAF to detect and block requests with CSRF tokens that do not match the expected format.
curl -I <tuleap_url>/repair_inconsistent_items.php | grep -i 'csrf-token'• php: Review Tuleap's code base for instances where user input is used to construct URLs or execute database queries without proper validation or sanitization. Search for functions like header() or redirect() that might be vulnerable to CSRF attacks.
disclosure
Statut de l'Exploit
EPSS
0.01% (percentile 0%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-24007 is to upgrade Tuleap to a patched version. Upgrade to Tuleap Community Edition 17.0.99.1768924735 or Enterprise Editions 17.2-5, 17.1-6, and 17.0-9. If an immediate upgrade is not feasible, consider implementing stricter input validation and output encoding within Tuleap's application code to reduce the attack surface. While a WAF or proxy cannot directly prevent CSRF, it can be configured to filter suspicious requests based on patterns associated with known CSRF attack vectors. Regularly review Tuleap's access control policies to ensure users only have the necessary permissions to perform their tasks. After the upgrade, confirm the vulnerability is resolved by attempting to trigger the inconsistent item repair functionality with a crafted CSRF request and verifying that the action is blocked.
Mettez à jour Tuleap à la version 17.0.99.1768924735 ou supérieure. Cela corrigera la vulnérabilité CSRF dans la gestion des éléments incohérents. La mise à jour peut être effectuée via le panneau d'administration de Tuleap ou en suivant les instructions de mise à jour fournies par le fournisseur.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-24007 is a Cross-Site Request Forgery (CSRF) vulnerability in Tuleap versions up to 17.0.99.1768924735, allowing attackers to trick users into performing unauthorized actions like creating malicious artifact links.
You are affected if you are using Tuleap versions prior to 17.0.99.1768924735, including Community and Enterprise editions.
Upgrade to Tuleap Community Edition 17.0.99.1768924735 or Enterprise Editions 17.2-5, 17.1-6, and 17.0-9. Consider implementing stricter input validation as a temporary workaround.
There is currently no evidence of active exploitation, but the vulnerability's CVSS score indicates a moderate risk.
Refer to the official Tuleap security advisories on their website for the most up-to-date information and guidance.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.