CVE-2026-10285
Description
DevaslanPHP project-management up to 2.0.0-beta1 improperly authorizes ticket status updates, allowing remote attackers to manipulate tickets across projects.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DevaslanPHP project-management up to 2.0.0-beta1 improperly authorizes ticket status updates, allowing remote attackers to manipulate tickets across projects.
Vulnerability
A vulnerability exists in the KanbanScrumHelper::recordUpdated function within app/Helpers/KanbanScrumHelper.php in DevaslanPHP project-management up to version 2.0.0-beta1. The function accepts a ticket ID from the client without verifying ownership or project membership, allowing for manipulation of ticket status. This issue is present in the Ticket Handler component [1].
Exploitation
An attacker can exploit this vulnerability remotely by manipulating the Livewire wire protocol to send arbitrary ticket IDs to the recordUpdated function. Since there are no ownership or project membership checks, an attacker can change the status of any ticket, regardless of their project association [1].
Impact
Successful exploitation allows an attacker to change the status of any ticket within the application, potentially leading to unauthorized modification of project workflows and ticket management. This could result in data integrity issues and disruption of project progress. The scope of the compromise is system-wide for ticket status manipulation [1].
Mitigation
Not yet disclosed in the available references. The project was informed early through an issue report but has not responded yet [1]. The latest release mentioned is 1.2.3, and the vulnerability affects versions up to 2.0.0-beta1 [2].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.0.0-beta1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The recordUpdated function lacks authorization checks, allowing unauthorized users to modify ticket properties."
Attack vector
An attacker can remotely send a request to the Livewire listener for the recordUpdated function. This function accepts a ticket ID, new index, and new status without verifying the user's ownership or project membership. By manipulating these parameters, an attacker can alter any ticket's status and order across projects, leading to improper authorization [ref_id=1].
Affected code
The vulnerability resides in the `recordUpdated` function within the `KanbanScrumHelper.php` file. This function is responsible for updating a ticket's order and status. The issue is specifically located between lines 157 and 166 of this file [ref_id=1].
What the fix does
The advisory recommends adding authorization checks to the recordUpdated() function to verify that the user is a project member before allowing ticket modifications. This would prevent unauthorized users from manipulating ticket data across different projects. The advisory also suggests adding ownership checks to delete policies and implementing authorization for Filament pages [ref_id=1].
Preconditions
- authThe attacker must be an authenticated user.
- networkThe attack can be carried out remotely.
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.