CVE-2026-24007 identifies a Cross-Site Request Forgery (CSRF) vulnerability in Enalean's Tuleap, an open-source software development and collaboration suite. The vulnerability arises due to the absence of CSRF protection in the 'Overview inconsistent items' feature, which manages artifact links related to software releases. CSRF attacks exploit the trust a web application places in a user's browser by tricking authenticated users into submitting unauthorized requests. In this case, an attacker can craft a malicious link or webpage that, when visited by an authenticated Tuleap user, triggers the repair of inconsistent items by creating artifact links without the user's consent. This can lead to unauthorized modifications affecting the integrity of project data and potentially disrupt project workflows, impacting availability. The CVSS v3.1 base score is 4.6 (medium), reflecting that the attack vector is network-based, requires low privileges and user interaction, and impacts integrity and availability but not confidentiality. The vulnerability affects all Tuleap versions prior to 17.0.99.1768924735, with fixes available in the Community Edition 17.0.99.1768924735 and Enterprise Editions 17.2-5, 17.1-6, and 17.0-9. No public exploits have been reported, indicating limited current exploitation but a potential risk if attackers develop exploit code. The vulnerability is classified under CWE-352, a common web security weakness related to CSRF.

For European organizations relying on Tuleap for software development lifecycle management and collaboration, this vulnerability poses a risk to the integrity and availability of project data. Unauthorized repair of inconsistent items could lead to corrupted project artifacts, mislinked releases, or disrupted workflows, potentially delaying development cycles and causing operational inefficiencies. While confidentiality is not directly impacted, the integrity compromise can undermine trust in project data and may require significant manual remediation. Organizations with strict compliance requirements or those operating in regulated sectors (e.g., finance, healthcare, critical infrastructure) may face additional risks if project data integrity is compromised. The requirement for user interaction and authentication limits the scope somewhat, but social engineering or phishing campaigns could facilitate exploitation. Given Tuleap's adoption in European software development environments, especially in countries with strong open-source communities and digital transformation initiatives, the impact could be significant if unpatched.

Organizations should immediately upgrade Tuleap installations to the fixed versions: Community Edition 17.0.99.1768924735 or Enterprise Editions 17.2-5, 17.1-6, or 17.0-9. Until patches are applied, administrators should implement additional CSRF mitigations such as enforcing strict SameSite cookie attributes and validating origin headers where feasible. User education to recognize phishing attempts and suspicious links is critical to reduce the risk of social engineering-based exploitation. Monitoring and logging of unusual repair actions or artifact link creations can help detect attempted exploitation. Network-level protections, such as web application firewalls (WAFs), can be configured to detect and block suspicious CSRF-like requests targeting the vulnerable endpoints. Regular security audits and vulnerability scans should be conducted to ensure no outdated versions remain in use. Finally, organizations should review and tighten user privilege assignments to minimize the number of users with permissions to perform repair actions, reducing the attack surface.