CVE-2026-14165
Dassault Systèmes · Tuleap Enterprise Edition
Tuleap Enterprise Edition is vulnerable to an authorization bypass allowing unauthenticated attackers to access sensitive information via user-controlled keys.
Executive summary
A critical authorization bypass vulnerability in Tuleap Enterprise Edition allows unauthenticated attackers to potentially access unauthorized data.
Vulnerability
This is an Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability. The flaw exists in the application's access control logic, allowing an unauthenticated remote attacker to bypass security checks and gain unauthorized access to sensitive information.
Business impact
Successful exploitation of this vulnerability could lead to significant data exposure, as the attacker does not require prior authentication to target the system. With a CVSS score of 7.5, this high-severity flaw represents a substantial risk to data confidentiality and regulatory compliance. Organizations relying on Tuleap for internal development or sensitive project management must treat this as a priority to prevent information leakage.
Remediation
Immediate Action: Review the official security advisory from Dassault Systèmes and apply the necessary patches or security updates as soon as they are made available.
Proactive Monitoring: Review web server and application access logs for unusual patterns or access requests targeting unconventional user keys or endpoints.
Compensating Controls: Implement strict network access controls and ensure the Tuleap instance is not exposed to the public internet unless absolutely necessary.
Exploitation status
Public Exploit Available: No (Exploit_available: false)
Analyst recommendation
Given the high-severity nature of this authorization bypass, it is imperative that administrators identify their current Tuleap version immediately. If the instance falls within the affected ranges, prioritize the application of vendor-provided security patches to close this access gap and protect sensitive project data.