394 matches found
CVE-2026-52782
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects//settings/projectstorages/ via PATCH parameter "storagesprojectstorageprojectfolderid" leads to Access to Unauthorized Resources. A project-admin in one project can...
CVE-2026-52782
OpenProject versions prior to 17.3.3 and 17.4.1 are affected by an IDOR in /projects//settings/project_storages/ via PATCH parameter storages_project_storage[project_folder_id], allowing a project-admin to hijack another project’s managed Nextcloud/OneDrive folder on the same storage. The vulnera...
CVE-2026-52782 OpenProject: IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects//settings/projectstorages/ via PATCH parameter "storagesprojectstorageprojectfolderid" leads to Access to Unauthorized Resources. A project-admin in one project can...
CVE-2026-52783 OpenProject: Information Disclosure (cleartext storage of data) on localhost through memcached via Others "storage.<id>.httpx_access_token" leads to Sensitive Data Exposure
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, OpenProject's Storages module writes the OneDrive/SharePoint userless OAuth accesstoken plaintext to Rails.cache under the deterministic key storage..httpxaccesstoken, repopulated continuously by an...
CVE-2026-52783
OpenProject stores OneDrive/SharePoint userless OAuth access_token in plaintext in Rails.cache within the Storages module prior to versions 17.3.3 and 17.4.1. None of the allowed backends (file_store, memcache, redis) encrypts data at rest. An attacker with read access to the cache can retrieve t...
CVE-2026-52784 OpenProject: CSRF on TARGET through /users/:id via POST parameter "user[admin]"
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a CSRF on TARGET through /users/:id via POST parameter "useradmin". This vulnerability is fixed in 17.3.3 and 17.4.1...
CVE-2026-52784
CVE-2026-52784 (OpenProject) is a CSRF vulnerability in OpenProject’s web UI. The issue allows CSRF on a user-targeted action via POST to /users/:id with the parameter user[admin], enabling unauthorized state changes without user interaction. Affected software versions are prior to 17.3.3 and 17....
CVE-2026-52785 OpenProject: SQL injection in timestamps functionality
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a SQL injection in timestamps functionality. OpenProject baseline comparison allows callers to request historic work-package attributes using the timestamps parameter. This vulnerability is fix...
CVE-2026-52785
OpenProject prior to versions 17.3.3 and 17.4.1 contains a SQL injection in the timestamps functionality. The vulnerability is tied to the baseline comparison feature, where the timestamps parameter can be used to request historic work-package attributes. The issue is fixed in 17.3.3 and 17.4.1. ...
PT-2026-52902
Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.3.2 OpenProject versions prior to 17.4.0 Description A business logic error exists in the password change behavior. This flaw allows an attacker who has achieved an active session takeover to bypass password...
PT-2026-52905
Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.4.0 Description An issue in the RelationQuery performance optimization allows authenticated users to bypass the Relation.visible scope. By providing an arbitrary work package ID through the involved, fromId, or...
PT-2026-52903
Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.3.2 OpenProject versions prior to 17.4.0 Description A missing authorization issue exists in the CostReportsController. The rename and update actions allow any authenticated user to modify the name, filters, an...
PT-2026-52899
Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.4.0 Description The rich text rendering pipeline uses an overly permissive configuration for inline style sanitization. This allows authenticated users with write access to formattable text fields, such as work...
CVE-2026-40896
OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with manageagendas permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target...
CVE-2026-33667
OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirmotp action of the twofactorauthentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing bruteforceblockafterfailedlogins setting...
EUVD-2026-23870
OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with manageagendas permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target...
CVE-2026-40896 OpenProject has Cross-Project Meeting Agenda Item Injection via Unscoped Section Lookup
OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with manageagendas permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target...
CVE-2026-40896
CVE-2026-40896 concerns OpenProject before version 17.3.0, where a user with the low-privilege permission manage_agendas in any project can inject agenda items into meetings across other projects due to an unscoped section lookup vulnerability. The attack does not require knowledge of the target ...
CVE-2026-40896 OpenProject has Cross-Project Meeting Agenda Item Injection via Unscoped Section Lookup
OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with manageagendas permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target...
CVE-2026-40896
OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with manageagendas permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target...