Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with manage_agendas permission in any project can inject agenda items into meetings belonging to any other project on the instance - even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. Version 17.3.0 patches the issue.
AnalysisAI
OpenProject versions prior to 17.3.0 allow authenticated users with manage_agendas permission in any single project to inject malicious agenda items into meetings across all other projects on the instance, including projects to which the attacker has no access. The vulnerability requires only valid project membership with limited permissions and no knowledge of target meetings, enabling an attacker to systematically compromise meeting integrity across an entire OpenProject deployment. No public exploit code has been identified, and the vendor has released patched version 17.3.0 addressing this privilege escalation flaw.
Technical ContextAI
OpenProject is a web-based project management platform written in Ruby on Rails that manages projects, teams, and meeting agendas. The vulnerability stems from insufficient access control in the agenda item injection mechanism, specifically a Time-of-Check-Time-of-Use (TOCTOU) race condition or improper authorization check (CWE-367) in the API or backend logic that handles agenda item creation. The flaw allows a user authenticated with manage_agendas permission in one project context to bypass project-level authorization checks and write agenda items to meeting objects in unrelated projects by directly referencing sequential section IDs without validating ownership or cross-project access. The affected product is identified via CPE cpe:2.3:a:opf:openproject, with all versions below 17.3.0 vulnerable. The attack surface is the agenda item creation endpoint, which likely accepts section IDs as direct input parameters without server-side verification that the requesting user has access to the target project.
RemediationAI
Vendor-released patch: OpenProject 17.3.0 or later. Organizations must upgrade immediately from any version below 17.3.0 to version 17.3.0 or the latest available release. Refer to the GitHub Security Advisory at https://github.com/opf/openproject/security/advisories/GHSA-hh5p-gwf8-h245 for detailed upgrade instructions and verification steps. As an interim workaround pending upgrade, administrators should audit access logs for agenda item creation activity and manually remove unauthorized agenda items from meetings across projects; additionally, restrict manage_agendas permission assignment to trusted users and audit existing role assignments for users with this permission in multiple projects. Note that the workaround is labor-intensive and does not prevent ongoing exploitation-patching is the only reliable mitigation. Organizations unable to upgrade immediately should disable agenda functionality entirely via feature flags if available, accepting reduced project management capability as a trade-off for preventing poisoning attacks.
More in Openproject
View allA SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbi
OpenProject is web-based project management software. Rated high severity (CVSS 7.5), this vulnerability is remotely exp
OpenProject is open source project management software. Rated medium severity (CVSS 6.5), this vulnerability is remotely
Authenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardco
Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj
SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user
SQL injection in OpenProject's reporting module allows authenticated attackers to execute arbitrary database queries via
OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the pr
Remote code execution in OpenProject before 17.3.3 and 17.4.1 arises from cache store poisoning, allowing an attacker wi
OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior
OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF ex
OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23870