MEDIUM 5.4

CVE-2026-10285: DevaslanPHP Improper Authorization in Ticket Handler

DevaslanPHP project-management versions up to 2.0.0-beta1 contain an authorization flaw in the ticket handler component. An authenticated user can manipulate ticket records in ways they should not be permitted to perform, potentially modifying or deleting ticket data without proper access controls. The vulnerability requires an existing login but can be exploited remotely over the network.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Weaknesses (CWE)
CWE-266, CWE-285
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A vulnerability has been found in DevaslanPHP project-management up to 2.0.0-beta1. Affected by this issue is the function KanbanScrumHelper::recordUpdated of the file app/Helpers/KanbanScrumHelper.php of the component Ticket Handler. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The project was informed of the problem early through an issue report but has not responded yet.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the KanbanScrumHelper::recordUpdated method within app/Helpers/KanbanScrumHelper.php. The flaw involves improper authorization checks when processing ticket record updates, allowing authenticated users to perform actions beyond their intended privileges. This is classified as an improper authorization issue (CWE-266, CWE-285), meaning the application fails to enforce role-based or permission-based restrictions on the ticket handler function. The attack vector is network-based with low attack complexity, requiring only valid credentials and no user interaction.

Business impact

Organizations using DevaslanPHP for project management face data integrity risks. Attackers with basic user credentials could modify, delete, or corrupt ticket records, leading to loss of project visibility, audit trail contamination, and potential operational disruption. In environments where tickets track critical work or compliance items, unauthorized modifications could have downstream consequences for project planning and regulatory reporting.

Affected systems

DevaslanPHP project-management versions up to and including 2.0.0-beta1 are affected. The vulnerability impacts the Kanban/Scrum board ticket handler functionality. Verify your deployment version against the vendor's advisory to confirm exposure. No patch version has been announced at this time; the project maintainers have not yet responded to the early disclosure report.

Exploitability

Exploitation requires valid user credentials—the attacker must already have authenticated access to the application. No exploit code is publicly known, and the vulnerability is not yet tracked on CISA's Known Exploited Vulnerabilities catalog. The low attack complexity means an attacker with login access can exploit this without sophisticated techniques, but widespread attack is limited by the authentication requirement. The lack of vendor response increases the window of exposure for organizations that cannot implement compensating controls.

Remediation

Immediately check whether your DevaslanPHP installation is at version 2.0.0-beta1 or earlier. Contact the DevaslanPHP project or monitor their repository for a security patch. Until a patch is available, restrict access to the project-management application to trusted users only, implement network segmentation to limit who can reach the application, and audit recent ticket record changes for signs of unauthorized modification. Consider enabling application-level logging on ticket updates to aid forensic investigation.

Patch guidance

No official patch has been released as of the modification date (2026-06-17). Monitor the DevaslanPHP project repository and security advisories closely. When a patch is released, verify the fixed version number in the vendor announcement and test in a non-production environment before deploying. Given the early disclosure stage and lack of vendor response, plan to apply patches promptly once available, and prepare rollback procedures in case of compatibility issues with your specific configuration.

Detection guidance

Enable and review audit logs for the KanbanScrumHelper::recordUpdated function calls. Look for ticket record modifications that do not align with the user's role or assigned responsibilities. Search for bulk ticket updates by accounts that typically perform minimal ticket operations. Network-level monitoring should flag unusual volumes of POST/PUT requests to ticket endpoints from single user sessions. Application performance monitoring may reveal anomalies in database query patterns for the kanban or scrum board handlers.

Why prioritize this

Although rated MEDIUM severity with a CVSS score of 5.4, this vulnerability warrants attention because it affects data integrity in a project-management system—a system of trust that many teams depend on for operational planning. The authentication requirement and lack of active exploitation reduce immediate risk, but the absence of a vendor patch means exposed organizations face indefinite exposure. Beta software versions in production deployments should trigger higher scrutiny. Prioritize patching once a fix is available and audit your ticket data for tampering in the interim.

Risk score, explained

The CVSS 3.1 score of 5.4 (MEDIUM) reflects the following factors: Network accessibility (AV:N) and low attack complexity (AC:L) indicate easy remote exploitation, but the requirement for prior authentication (PR:L) limits the threat actor population. The impact is limited to integrity and availability (I:L, A:L)—no confidentiality breach—and the scope is unchanged (S:U). The absence from CISA's KEV list suggests no active weaponization or in-the-wild exploitation as of the publication date.

Frequently asked questions

Do we need to patch immediately if we're using DevaslanPHP in a private, internally-only deployment?

While internal-only deployments reduce external threat actor access, insider threats and account compromise remain valid attack vectors. Patch as soon as a fix is available. Until then, enforce strict role-based access controls, audit ticket modifications regularly, and consider temporarily disabling direct user access to the ticket handler for non-administrators.

The vulnerability is in beta software—do we have time to wait for a stable release?

Beta versions are typically not recommended for production use, but if you are running 2.0.0-beta1 in production, treat this as urgent. A stable release may or may not address this flaw. Do not assume a stable release will fix it without vendor confirmation. Plan to upgrade or patch as soon as the vendor confirms a fix.

Can we work around this vulnerability without patching?

True mitigation without a patch is limited, but you can reduce risk by enforcing least-privilege access (restrict user roles), implementing network segmentation to limit who can reach the application, and enabling comprehensive audit logging on all ticket operations. These are temporary measures only and do not eliminate the underlying flaw.

Is this vulnerability being actively exploited in the wild?

No. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog, and there are no public reports of active exploitation. However, the lack of a vendor response and the presence of the vulnerability in production systems create an attractive target for attackers who discover it independently.

This analysis is based on publicly available information and the vendor's description as of the modification date (2026-06-17). No patch has been released by the DevaslanPHP project at this time; verify against the vendor's official advisories before relying on patch information. Security researchers and organizations should report any additional information about active exploitation directly to the vendor and to CISA. This page is for informational purposes and does not constitute professional security advice; consult your organization's security team and the vendor for guidance specific to your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).