CVE-2026-24776

OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting (or is the backlog, in case of recurring meetings). This allowed an attacker to move a meeting agenda item into a different meeting. The attacker did not get access to meetings, but they could add arbitrary agenda items, that could cause confusions. The vulnerability is fixed in 17.0.2.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/opf/openproject/releases/tag/v17.0.2	Release Notes
https://github.com/opf/openproject/security/advisories/GHSA-p9v8-w9ph-hqmf	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-06 18:15

Updated : 2026-02-23 18:14

NVD link : CVE-2026-24776

Mitre link : CVE-2026-24776

CVE.ORG link : CVE-2026-24776

JSON object : View

Products Affected

openproject

openproject

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-24776", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-02-06T18:15:58.497", "references": [{"url": "https://github.com/opf/openproject/releases/tag/v17.0.2", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/opf/openproject/security/advisories/GHSA-p9v8-w9ph-hqmf", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting (or is the backlog, in case of recurring meetings). This allowed an attacker to move a meeting agenda item into a different meeting. The attacker did not get access to meetings, but they could add arbitrary agenda items, that could cause confusions. The vulnerability is fixed in 17.0.2."}, {"lang": "es", "value": "OpenProject es un software de gesti\u00f3n de proyectos de c\u00f3digo abierto y basado en la web. Antes de la 17.0.2, el manejador de arrastrar y soltar que mov\u00eda un elemento de la agenda a una secci\u00f3n diferente no verificaba correctamente si la secci\u00f3n de reuni\u00f3n de destino formaba parte de la misma reuni\u00f3n (o si era el backlog, en el caso de reuniones recurrentes). Esto permit\u00eda a un atacante mover un elemento de la agenda de una reuni\u00f3n a una reuni\u00f3n diferente. El atacante no obten\u00eda acceso a las reuniones, pero pod\u00eda a\u00f1adir elementos de la agenda arbitrarios, lo que podr\u00eda causar confusiones. La vulnerabilidad est\u00e1 corregida en la versi\u00f3n 17.0.2."}], "lastModified": "2026-02-23T18:14:32.807", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3FA4C106-EEE3-4582-BE10-010975AE359B", "versionEndExcluding": "17.0.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}