CVE-2026-56355

An attacker can exploit this vulnerability by supplying untrusted data that is used in authorization decisions, potentially bypassing access controls. The advisory does not detail the exact network path or payload shape, but the exploit was demonstrated by Hacktron researchers against the live Savannah platform [ref_id=1]. The preconditions for exploitation are not fully specified in the available information.

The advisory does not specify which functions or files are at fault; it only identifies the product as GNU Savannah Administration Savane through version 3.17. The vulnerability is described as using untrusted data as part of authorization, but no specific code paths are named in the bundle.

The Free Software Foundation, GNU, and volunteer staff patched all reported vulnerabilities along with additional security issues submitted during the review [ref_id=1]. The patch details are not included in the bundle, so the specific code changes are unknown. The advisory states that no evidence of sensitive data access or supply chain compromise was found after the fixes were applied.