CVE-2026-7510

MEDIUM

OWAP DefectDojo Benchmark/Engagement/Product/Survey authorization

Title source: cna

Description

A vulnerability was determined in OWAP DefectDojo up to 2.55.4. Affected by this vulnerability is an unknown functionality of the component Benchmark/Engagement/Product/Survey. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.56.0 addresses this issue. This patch is called eb6120a379185d37eb1af17b69bb5614a830ab1f. Upgrading the affected component is recommended.

References (7)

[Vdb Entry] https://vuldb.com/vuln/360317

[Signature, Permissions Required] https://vuldb.com/vuln/360317/cti

[Third Party Advisory] https://vuldb.com/submit/803751

[Exploit] https://github.com/noname1337h1/cve-bug-bounty/blob/main/dfdj_risk_acceptance_raid_idor_authorization_bypass/dfdj_risk_acceptance_raid_idor_authorization_bypass.md

View Exploit ZIP pw:eip

[Patch] https://github.com/DefectDojo/django-DefectDojo/pull/14375

[Patch] https://github.com/DefectDojo/django-DefectDojo/commit/eb6120a379185d37eb1af17b69bb5614a830ab1f

View Patch ZIP pw:eip

[Patch] https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.56.0

Scores

CVSS v3 6.3

EPSS 0.0004

EPSS Percentile 12.8%

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-285 CWE-639

Status published

Products (6)

OWAP/DefectDojo 2.55.0

OWAP/DefectDojo 2.55.1

OWAP/DefectDojo 2.55.2

OWAP/DefectDojo 2.55.3

OWAP/DefectDojo 2.55.4

OWAP/DefectDojo 2.56.0

Published Apr 30, 2026

Tracked Since May 01, 2026