A critical privilege escalation vulnerability in Taskosaur allows any unauthenticated user to register as a SUPER_ADMIN, granting them full control over the project management platform.

The application fails to validate the role parameter during user registration. An unauthenticated attacker can manipulate the registration request payload to include a SUPER_ADMIN role, which the backend accepts without restriction, resulting in a fully privileged administrative account.

This flaw allows for the complete compromise of the Taskosaur instance, including access to all project data, AI task execution logs, and user information. With a CVSS score of 9.8, the vulnerability enables an attacker to effectively hijack the entire platform and its integrated conversational AI tools.

Immediate Action: Update Taskosaur to a version higher than 1.0.0 that enforces server-side role assignment restrictions.

Proactive Monitoring: Audit the user database for any accounts created with the SUPER_ADMIN role that were not explicitly authorized by existing administrators.

Compensating Controls: Temporarily disable public user registration until the patch is applied or implement a manual approval process for all new accounts.

Public Exploit Available: false

The ability for any user to self-promote to the highest level of administrative access is a fundamental security failure. Immediate remediation via software update is required to protect organizational data and maintain the integrity of the project management environment.