Critical Vulnerability Information Vulnerability ID: #44489 Submitter: Marion Caby (mdv) Submission Date: 2025-09-06 10:58 Last Modified Date: 2025-09-09 09:09 Status: Closed Closure Date: 2025-09-09 Vulnerability Details Summary: Backlog item representations do not verify the permissions of the child trackers. Impact: Users might see tracker names they should not have access to. CVSS v3.1 Score: 4.3 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N] Exploitation Method: Have a user that cannot access a tracker and have this tracker in children trackers of a backlog item. The quick add children action should not show the trackers not accessible to the users. References: CWE-280, CVE-2025-59610 Classification & Platform Category: Agile Dashboard Reported Version: All Platform: Empty Related Links Git Commit: TULEAP/TULEAP-STABLE fix request #44489: Backlog item representations do not verify the permissions of the child trackers. Tracking Record Confirmation: The issue has been confirmed as a security issue. Fix: Fix is being reviewed here: gitit #55523.