CVE-2026-24007 – This CSRF vulnerability in Tuleap allows attack... (How to Fix)

Q: What is the severity of CVE-2026-24007?

CVE-2026-24007 has a CVSS score of 4.6 (MEDIUM). This CSRF vulnerability in Tuleap allows attackers to trick authenticated users into performing unauthorized actions, specifically creating artifact links from releases. All Tuleap users with access to the Overview inconsistent items feature are affected. The vulnerability requires user interaction but no special privileges.

📋 TL;DR

This CSRF vulnerability in Tuleap allows attackers to trick authenticated users into performing unauthorized actions, specifically creating artifact links from releases. All Tuleap users with access to the Overview inconsistent items feature are affected. The vulnerability requires user interaction but no special privileges.

💻 Affected Systems

Products:

Tuleap Community Edition
Tuleap Enterprise Edition

Versions: All versions before Tuleap Community Edition 17.0.99.1768924735 and Tuleap Enterprise Edition before 17.2-5, 17.1-6, and 17.0-9

Operating Systems: All platforms running Tuleap

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to the Overview inconsistent items feature

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could manipulate project data integrity by creating unauthorized artifact links, potentially disrupting development workflows or injecting malicious content into project artifacts.

🟠

Likely Case

Unauthorized creation of artifact links that could confuse development teams or create incorrect dependencies between project items.

🟢

If Mitigated

With proper CSRF protections, no unauthorized actions can be performed through cross-site requests.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking authenticated users into visiting malicious websites while logged into Tuleap

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Tuleap Community Edition 17.0.99.1768924735 or Tuleap Enterprise Edition 17.2-5, 17.1-6, or 17.0-9

Vendor Advisory: https://github.com/Enalean/tuleap/security/advisories/GHSA-7g48-rwqj-ffxw

Restart Required: Yes

Instructions:

1. Backup your Tuleap instance. 2. Update to patched version using your package manager. 3. Restart Tuleap services. 4. Verify the update was successful.

🔧 Temporary Workarounds

CSRF Token Implementation

all

Implement custom CSRF protection for the Overview inconsistent items endpoint

🧯 If You Can't Patch

Implement web application firewall rules to detect and block CSRF attempts
Educate users about phishing risks and require manual confirmation for sensitive actions

🔍 How to Verify

Check if Vulnerable:

Check Tuleap version against affected versions list. Review source code for CSRF protection in Overview inconsistent items endpoints.

Check Version:

tuleap version

Verify Fix Applied:

Verify Tuleap version is patched. Test that CSRF tokens are required for Overview inconsistent items actions.

📡 Detection & Monitoring

Log Indicators:

Multiple artifact link creation requests from same user in short timeframe
Requests missing CSRF tokens to Overview endpoints

Network Indicators:

HTTP POST requests to /api/v1/overview/inconsistent_items without proper referrer headers

SIEM Query:

source="tuleap" AND (uri_path="/overview/inconsistent_items" OR uri_path="/api/v1/overview/inconsistent_items") AND http_method="POST"

📊 Metadata

CVE ID: CVE-2026-24007

CVSS v3 Score: 4.6 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L

CWE: CWE-352

Published: February 2, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy