CVE-2026-24777

OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for users of the application, but they were not supposed to be able to lock application administrators. Due to a missing permission check this logic was not enforced. The problem was fixed in OpenProject 17.0.2The problem was fixed in OpenProject 17.0.2.

CVSS v3 6.7 MEDIUM

6.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 5.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/opf/openproject/releases/tag/v17.0.2	Release Notes
https://github.com/opf/openproject/security/advisories/GHSA-fq66-cwg6-qq69	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-09 19:15

Updated : 2026-02-11 18:28

NVD link : CVE-2026-24777

Mitre link : CVE-2026-24777

CVE.ORG link : CVE-2026-24777

JSON object : View

Products Affected

openproject

openproject

CWE

CWE-862

Missing Authorization

{"id": "CVE-2026-24777", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 5.5, "exploitabilityScore": 1.2}]}, "published": "2026-02-09T19:15:50.200", "references": [{"url": "https://github.com/opf/openproject/releases/tag/v17.0.2", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/opf/openproject/security/advisories/GHSA-fq66-cwg6-qq69", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for users of the application, but they were not supposed to be able to lock application administrators. Due to a missing permission check this logic was not enforced. The problem was fixed in OpenProject 17.0.2The problem was fixed in OpenProject 17.0.2."}, {"lang": "es", "value": "OpenProject es un software de gesti\u00f3n de proyectos de c\u00f3digo abierto y basado en la web. Antes de la versi\u00f3n 17.0.2, los usuarios con el permiso Gestionar Usuarios pod\u00edan bloquear y desbloquear usuarios. Esta funcionalidad solo deber\u00eda ser posible para los usuarios de la aplicaci\u00f3n, pero no se supon\u00eda que pudieran bloquear a los administradores de la aplicaci\u00f3n. Debido a una comprobaci\u00f3n de permisos faltante, esta l\u00f3gica no se aplic\u00f3. El problema se solucion\u00f3 en OpenProject 17.0.2."}], "lastModified": "2026-02-11T18:28:40.220", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3FA4C106-EEE3-4582-BE10-010975AE359B", "versionEndExcluding": "17.0.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}