Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Requires authenticated low-privilege session (PR:L); network-accessible with no complexity barriers; integrity-only impact as documents can be moved cross-project but data cannot be read or destroyed.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, OpenProject exposes a document update endpoint used to modify existing documents. The target document is loaded with visibility checks and then updated. During update, attacker-controlled attributes are applied to the persisted record before authorization is enforced. As a result, a user without :manage_documents in the source project can move and modify foreign project documents by setting project_id in a single PATCH request. This vulnerability is fixed in 17.3.2 and 17.4.0.
AnalysisAI
OpenProject's document update endpoint before versions 17.3.2 and 17.4.0 contains an authorization order-of-operations flaw (CWE-639) that allows any authenticated low-privilege user to move or modify documents belonging to projects they do not have permission to manage. By sending a single crafted PATCH request containing a project_id attribute pointing to a foreign project, the attacker exploits the endpoint's incorrect sequence - attributes are applied to the record before authorization is enforced - bypassing the :manage_documents permission check entirely. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated session with at least low-privilege membership in one OpenProject project (CVSS PR:L confirms this prerequisite). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 4.3 Medium score (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) accurately reflects the bounded but concrete nature of this flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated OpenProject user with membership in Project A sends a PATCH request to the document update endpoint for a document in Project A, but sets `project_id` in the request body to the ID of Project B, a sensitive project the attacker has no `:manage_documents` permission on. Because the endpoint applies the user-supplied attributes before the authorization check fires, the request succeeds and the document is transferred into Project B - or its metadata is overwritten - without any permission error. … |
| Remediation | Upgrade to OpenProject 17.3.2 or 17.4.0, both of which correct the authorization sequence so that permission checks are enforced before attacker-controlled attributes are applied to the document record. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Openproject
View allA SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbi
OpenProject is web-based project management software. Rated high severity (CVSS 7.5), this vulnerability is remotely exp
OpenProject is open source project management software. Rated medium severity (CVSS 6.5), this vulnerability is remotely
Authenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardco
Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj
SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user
SQL injection in OpenProject's reporting module allows authenticated attackers to execute arbitrary database queries via
OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the pr
Remote code execution in OpenProject before 17.3.3 and 17.4.1 arises from cache store poisoning, allowing an attacker wi
OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior
OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF ex
OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39882