OWASP DefectDojo
Moderate fix1 remedy
cpe:2.3:a:owasp:defectdojo:*:*:*:*:*:*:*
Moderate fix1 remedy
- <= 2.55.4
OWASP DefectDojo Authorization Bypass Vulnerability in Benchmark Engagement Product Survey Component
Vulnerability
Patched
An authorization bypass vulnerability has been identified in OWASP DefectDojo versions through 2.55.4. The issue arises in the Benchmark/Engagement/Product/Survey component, where authorization checks are improperly implemented. The vulnerability allows remote manipulation that bypasses authorization, enabling access to restricted functionalities. This flaw has been publicly disclosed and exploited.
Impact
Exploitation of this vulnerability allows unauthorized access to risk acceptance data, including the ability to view, edit, expire, reinstate, and delete risk acceptances that do not belong to the user.
Reproduction
To reproduce this vulnerability, log in with an account that has access to a specific engagement. Then, send a request to access a risk acceptance from a different engagement that the account does not have access to. The response will incorrectly allow access to the risk acceptance details.
Remediation
Users are advised to upgrade to OWASP DefectDojo version 2.56.0, where this vulnerability has been fixed.
Added: Apr 30, 2026, 11:24 PM
Updated: Apr 30, 2026, 11:24 PM
Vulnerability Rating
Custom Algorithm
spread
3.1impact
1.3exploitability
6.6remediation
7.7relevance
7.0threat
6.4urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.