CVE-2026-10284
Description
DevaslanPHP project-management up to 2.0.0-beta1 allows improper authorization via direct Livewire method calls, enabling remote attackers to manipulate comments.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DevaslanPHP project-management up to 2.0.0-beta1 allows improper authorization via direct Livewire method calls, enabling remote attackers to manipulate comments.
Vulnerability
A flaw exists in DevaslanPHP project-management up to version 2.0.0-beta1, specifically within the editComment and doDeleteComment functions in app/Filament/Resources/TicketResource/Pages/ViewTicket.php. These Livewire component methods accept comment IDs directly without performing server-side authorization checks, bypassing UI-only restrictions.
Exploitation
An authenticated remote attacker can exploit this vulnerability by directly invoking the editComment or doDeleteComment Livewire methods. They can provide any comment ID to these methods, bypassing the UI checks that would normally restrict these actions to the comment's owner or an administrator.
Impact
Successful exploitation allows an attacker to edit or delete any comment within the application, regardless of ownership. This leads to unauthorized modification or removal of ticket-related information, potentially disrupting project management workflows and data integrity.
Mitigation
No patched version has been released as of the available references. The project was informed early through an issue report [1], but has not yet responded. Users are advised to monitor the project's GitHub repository for updates and potential fixes. There are no known workarounds at this time.
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.0.0-beta1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Livewire component methods perform actions on resources using client-supplied IDs without server-side authorization verification."
Attack vector
An attacker can remotely call Livewire methods directly, bypassing UI-only authorization checks. Specifically, the `editComment` and `doDeleteComment` functions in `ViewTicket.php` accept a comment ID without verifying if the authenticated user has permission to modify or delete that specific comment. This allows any authenticated user to delete or edit comments they do not own [ref_id=1].
Affected code
The vulnerability exists in the `editComment` and `doDeleteComment` functions within the file `app/Filament/Resources/TicketResource/Pages/ViewTicket.php`. These functions handle comment editing and deletion, respectively, and are part of the Livewire Handler component [ref_id=1].
What the fix does
The advisory recommends adding server-side authorization checks to Livewire methods. For example, when deleting a comment, the system should verify that the authenticated user is either the owner of the comment or has administrative privileges before proceeding with the deletion. This ensures that actions are only performed by authorized users, closing the bypass vulnerability [ref_id=1]. The patch does not show specific code changes, but the advisory provides guidance on how to implement the fix.
Preconditions
- authThe attacker must be an authenticated user.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.