Skip to main content

OpenProject CVE-2026-52779

| EUVDEUVD-2026-39873 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-26 GitHub_M
5.4
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
5.4 MEDIUM

Network-accessible web app, low complexity IDOR; PR:L because management role in any one project is required; no confidentiality impact as only deletion is possible.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Patch available
Jun 26, 2026 - 21:02 EUVD
Analysis Generated
Jun 26, 2026 - 19:51 vuln.today

DescriptionCVE.org

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public Calendar or Team Planner Queries from another project where they do not have the corresponding management permissions. Both modules authorize the request against the project identified by :project_id in the URL, but the actual Query object is loaded later by :id from Query.visible(current_user) without verifying that the loaded Query belongs to the authorized project. As a result, an attacker can use permissions from Project A to delete shared/public Calendar or Team Planner views from Project B, causing integrity impact and limited availability impact for users relying on those shared views. This vulnerability is fixed in 17.3.3 and 17.4.1.

AnalysisAI

Cross-project IDOR in OpenProject's Calendar and Team Planner modules allows an authenticated low-privileged user with management rights in one project to delete public or shared Calendar and Team Planner Query views belonging to entirely separate projects on the same instance. The authorization context is established using :project_id from the URL (Project A), but the targeted Query object is resolved independently by :id through Query.visible(current_user), with no check that the loaded Query belongs to the authorized project - enabling cross-project privilege misuse. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with management role in Project A
Delivery
Browse or enumerate public Query IDs from Project B shared views
Exploit
Craft DELETE request using Project A :project_id but Project B Query :id
Execution
Server authorizes against Project A context without validating query ownership
Persist
Query.visible scope confirms attacker can see the query
Impact
Shared Calendar or Team Planner view deleted from Project B

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated OpenProject user account with management-level permissions in at least one project on the target instance (CVSS PR:L confirmed). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.4 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L accurately reflects the bounded real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a legitimate OpenProject account holding management permissions in Project A identifies the numeric IDs of public Calendar or Team Planner queries belonging to Project B (discoverable by browsing shared views or through the API). The attacker crafts a deletion HTTP request using Project A's :project_id in the URL path but substitutes Project B's query :id as the resource identifier; the server authorizes the request against Project A's context and deletes the unrelated Project B query without error. …
Remediation Upgrade OpenProject to version 17.3.3 (stable channel) or 17.4.1 (current channel), which contain the fix for this vulnerability per the vendor advisory at https://github.com/opf/openproject/security/advisories/GHSA-jrx5-px3f-vfq4. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2019-11600 HIGH POC
8.1 May 13

A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbi

CVE-2023-33960 HIGH POC
7.5 Jun 01

OpenProject is web-based project management software. Rated high severity (CVSS 7.5), this vulnerability is remotely exp

CVE-2023-31140 MEDIUM POC
6.5 May 08

OpenProject is open source project management software. Rated medium severity (CVSS 6.5), this vulnerability is remotely

CVE-2026-46386 CRITICAL
9.9 Jun 26

Authenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardco

CVE-2026-52782 CRITICAL
9.9 Jun 26

Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj

CVE-2026-52785 CRITICAL
9.9 Jun 26

SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user

CVE-2026-34717 CRITICAL
9.9 Apr 02

SQL injection in OpenProject's reporting module allows authenticated attackers to execute arbitrary database queries via

CVE-2026-25763 CRITICAL
9.9 Feb 06

OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the pr

CVE-2026-52780 CRITICAL
9.6 Jun 26

Remote code execution in OpenProject before 17.3.3 and 17.4.1 arises from cache store poisoning, allowing an attacker wi

CVE-2026-32698 CRITICAL
9.1 Mar 18

OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior

CVE-2026-22600 CRITICAL
9.1 Jan 10

OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF ex

CVE-2026-32703 CRITICAL
9.0 Mar 18

OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying

Share

CVE-2026-52779 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy