Skip to main content

OpenProject CVE-2026-44732

| EUVDEUVD-2026-39882 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-26 GitHub_M
4.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Requires authenticated low-privilege session (PR:L); network-accessible with no complexity barriers; integrity-only impact as documents can be moved cross-project but data cannot be read or destroyed.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 26, 2026 - 21:02 EUVD
Analysis Generated
Jun 26, 2026 - 20:33 vuln.today

DescriptionCVE.org

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, OpenProject exposes a document update endpoint used to modify existing documents. The target document is loaded with visibility checks and then updated. During update, attacker-controlled attributes are applied to the persisted record before authorization is enforced. As a result, a user without :manage_documents in the source project can move and modify foreign project documents by setting project_id in a single PATCH request. This vulnerability is fixed in 17.3.2 and 17.4.0.

AnalysisAI

OpenProject's document update endpoint before versions 17.3.2 and 17.4.0 contains an authorization order-of-operations flaw (CWE-639) that allows any authenticated low-privilege user to move or modify documents belonging to projects they do not have permission to manage. By sending a single crafted PATCH request containing a project_id attribute pointing to a foreign project, the attacker exploits the endpoint's incorrect sequence - attributes are applied to the record before authorization is enforced - bypassing the :manage_documents permission check entirely. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege project member
Delivery
Identify document ID in accessible project
Exploit
Enumerate or guess target foreign project_id
Execution
Send PATCH request with project_id set to unauthorized project
Persist
Server applies attributes before enforcing authorization
Impact
Document moved or modified in unauthorized project

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session with at least low-privilege membership in one OpenProject project (CVSS PR:L confirms this prerequisite). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 4.3 Medium score (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) accurately reflects the bounded but concrete nature of this flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated OpenProject user with membership in Project A sends a PATCH request to the document update endpoint for a document in Project A, but sets `project_id` in the request body to the ID of Project B, a sensitive project the attacker has no `:manage_documents` permission on. Because the endpoint applies the user-supplied attributes before the authorization check fires, the request succeeds and the document is transferred into Project B - or its metadata is overwritten - without any permission error. …
Remediation Upgrade to OpenProject 17.3.2 or 17.4.0, both of which correct the authorization sequence so that permission checks are enforced before attacker-controlled attributes are applied to the document record. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2019-11600 HIGH POC
8.1 May 13

A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbi

CVE-2023-33960 HIGH POC
7.5 Jun 01

OpenProject is web-based project management software. Rated high severity (CVSS 7.5), this vulnerability is remotely exp

CVE-2023-31140 MEDIUM POC
6.5 May 08

OpenProject is open source project management software. Rated medium severity (CVSS 6.5), this vulnerability is remotely

CVE-2026-46386 CRITICAL
9.9 Jun 26

Authenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardco

CVE-2026-52782 CRITICAL
9.9 Jun 26

Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj

CVE-2026-52785 CRITICAL
9.9 Jun 26

SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user

CVE-2026-34717 CRITICAL
9.9 Apr 02

SQL injection in OpenProject's reporting module allows authenticated attackers to execute arbitrary database queries via

CVE-2026-25763 CRITICAL
9.9 Feb 06

OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the pr

CVE-2026-52780 CRITICAL
9.6 Jun 26

Remote code execution in OpenProject before 17.3.3 and 17.4.1 arises from cache store poisoning, allowing an attacker wi

CVE-2026-32698 CRITICAL
9.1 Mar 18

OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior

CVE-2026-22600 CRITICAL
9.1 Jan 10

OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF ex

CVE-2026-32703 CRITICAL
9.0 Mar 18

OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying

Share

CVE-2026-44732 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy