Skip to main content

OpenProject CVE-2026-52784

| EUVDEUVD-2026-39868 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-26 GitHub_M
8.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

CSRF needs the victim to load attacker content (UI:R) and the attacker holds no account (PR:N); abuse of the victim's admin session grants full admin, so C/I/A all High.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 26, 2026 - 21:02 EUVD
Analysis Generated
Jun 26, 2026 - 19:47 vuln.today

DescriptionCVE.org

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a CSRF on TARGET through /users/:id via POST parameter "user[admin]". This vulnerability is fixed in 17.3.3 and 17.4.1.

AnalysisAI

Privilege escalation in OpenProject before 17.3.3 and 17.4.1 lets an attacker forge a cross-site request to /users/:id carrying the POST parameter user[admin], coercing a logged-in privileged user's browser into granting administrator rights to an arbitrary account. The flaw (CWE-352) rates CVSS 8.8 because a successful forgery yields full administrative control over the instance; no public exploit is identified at time of analysis and it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify privileged OpenProject session
Delivery
Host auto-submitting forged form
Exploit
Lure admin to malicious page
Execution
Browser POSTs user[admin]=1 to /users/:id
Persist
Attacker account elevated to administrator
Impact
Full administrative control of instance

Vulnerability AssessmentAI

Exploitation Exploitation targets the /users/:id update endpoint and specifically requires the forged request to set the POST parameter user[admin], so the precondition is that a victim with rights to modify user accounts (an existing administrator) has an active authenticated OpenProject session in a browser that loads the attacker's page. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS:3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = 8.8) is internally inconsistent with a CSRF weakness: classic CSRF requires the victim to load attacker content, which should be UI:R, and the attacker themselves usually holds no account (PR:N) while abusing the victim's session - so the published UI:N/PR:L pairing should be verified against the GHSA advisory rather than trusted at face value. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a web page with a hidden auto-submitting form that POSTs to https://victim-openproject/users/<attacker_account_id> with user[admin]=1, then lures a currently-logged-in OpenProject administrator to that page; the victim's browser submits the request with their session cookies and the attacker's account is silently elevated to administrator. No public proof-of-concept is identified at time of analysis, and the low attack complexity means a working forge is trivial to build once the endpoint behavior is known.
Remediation Vendor-released patch: upgrade to OpenProject 17.3.3 (for 17.3.x deployments) or 17.4.1 (for 17.4.x deployments), per advisory GHSA-6crw-7f5r-4qj9 (https://github.com/opf/openproject/security/advisories/GHSA-6crw-7f5r-4qj9). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all OpenProject deployments and identify current versions in the 17.3.x and 17.4.x lines. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-46386 CRITICAL
9.9 Jun 26

Authenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardco

CVE-2026-52782 CRITICAL
9.9 Jun 26

Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj

CVE-2026-52785 CRITICAL
9.9 Jun 26

SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user

CVE-2026-34717 CRITICAL
9.9 Apr 02

SQL injection in OpenProject's reporting module allows authenticated attackers to execute arbitrary database queries via

CVE-2026-25763 CRITICAL
9.9 Feb 06

OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the pr

CVE-2026-52780 CRITICAL
9.6 Jun 26

Remote code execution in OpenProject before 17.3.3 and 17.4.1 arises from cache store poisoning, allowing an attacker wi

CVE-2026-32698 CRITICAL
9.1 Mar 18

OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior

CVE-2026-22600 CRITICAL
9.1 Jan 10

OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF ex

CVE-2026-32703 CRITICAL
9.0 Mar 18

OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying

CVE-2026-24772 HIGH
8.9 Jan 28

Token decryption in OpenProject 17.0 allows authenticated attackers to intercept and decrypt 24-hour authentication toke

CVE-2026-24685 HIGH
8.8 Jan 28

Arbitrary file write in OpenProject versions before 16.6.6 and 17.0.2 allows authenticated users with repository browse

CVE-2026-23625 HIGH
8.7 Jan 19

Stored XSS in OpenProject versions 16.3.0-16.6.4 allows authenticated users to inject arbitrary HTML/JavaScript through

Share

CVE-2026-52784 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy