Skip to main content

Openproject EUVDEUVD-2026-23870

| CVE-2026-40896 MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-04-20 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

6
Patch released
Apr 23, 2026 - 13:45 nvd
Patch available
Analysis Generated
Apr 20, 2026 - 16:23 vuln.today
Patch available
Apr 20, 2026 - 16:01 EUVD
EUVD ID Assigned
Apr 20, 2026 - 16:00 euvd
EUVD-2026-23870
Analysis Generated
Apr 20, 2026 - 16:00 vuln.today
CVE Published
Apr 20, 2026 - 15:12 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with manage_agendas permission in any project can inject agenda items into meetings belonging to any other project on the instance - even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. Version 17.3.0 patches the issue.

AnalysisAI

OpenProject versions prior to 17.3.0 allow authenticated users with manage_agendas permission in any single project to inject malicious agenda items into meetings across all other projects on the instance, including projects to which the attacker has no access. The vulnerability requires only valid project membership with limited permissions and no knowledge of target meetings, enabling an attacker to systematically compromise meeting integrity across an entire OpenProject deployment. No public exploit code has been identified, and the vendor has released patched version 17.3.0 addressing this privilege escalation flaw.

Technical ContextAI

OpenProject is a web-based project management platform written in Ruby on Rails that manages projects, teams, and meeting agendas. The vulnerability stems from insufficient access control in the agenda item injection mechanism, specifically a Time-of-Check-Time-of-Use (TOCTOU) race condition or improper authorization check (CWE-367) in the API or backend logic that handles agenda item creation. The flaw allows a user authenticated with manage_agendas permission in one project context to bypass project-level authorization checks and write agenda items to meeting objects in unrelated projects by directly referencing sequential section IDs without validating ownership or cross-project access. The affected product is identified via CPE cpe:2.3:a:opf:openproject, with all versions below 17.3.0 vulnerable. The attack surface is the agenda item creation endpoint, which likely accepts section IDs as direct input parameters without server-side verification that the requesting user has access to the target project.

RemediationAI

Vendor-released patch: OpenProject 17.3.0 or later. Organizations must upgrade immediately from any version below 17.3.0 to version 17.3.0 or the latest available release. Refer to the GitHub Security Advisory at https://github.com/opf/openproject/security/advisories/GHSA-hh5p-gwf8-h245 for detailed upgrade instructions and verification steps. As an interim workaround pending upgrade, administrators should audit access logs for agenda item creation activity and manually remove unauthorized agenda items from meetings across projects; additionally, restrict manage_agendas permission assignment to trusted users and audit existing role assignments for users with this permission in multiple projects. Note that the workaround is labor-intensive and does not prevent ongoing exploitation-patching is the only reliable mitigation. Organizations unable to upgrade immediately should disable agenda functionality entirely via feature flags if available, accepting reduced project management capability as a trade-off for preventing poisoning attacks.

CVE-2019-11600 HIGH POC
8.1 May 13

A SQL injection vulnerability in the activities API in OpenProject before 8.3.2 allows a remote attacker to execute arbi

CVE-2023-33960 HIGH POC
7.5 Jun 01

OpenProject is web-based project management software. Rated high severity (CVSS 7.5), this vulnerability is remotely exp

CVE-2023-31140 MEDIUM POC
6.5 May 08

OpenProject is open source project management software. Rated medium severity (CVSS 6.5), this vulnerability is remotely

CVE-2026-46386 CRITICAL
9.9 Jun 26

Authenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardco

CVE-2026-52782 CRITICAL
9.9 Jun 26

Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj

CVE-2026-52785 CRITICAL
9.9 Jun 26

SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user

CVE-2026-34717 CRITICAL
9.9 Apr 02

SQL injection in OpenProject's reporting module allows authenticated attackers to execute arbitrary database queries via

CVE-2026-25763 CRITICAL
9.9 Feb 06

OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the pr

CVE-2026-52780 CRITICAL
9.6 Jun 26

Remote code execution in OpenProject before 17.3.3 and 17.4.1 arises from cache store poisoning, allowing an attacker wi

CVE-2026-32698 CRITICAL
9.1 Mar 18

OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior

CVE-2026-22600 CRITICAL
9.1 Jan 10

OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF ex

CVE-2026-32703 CRITICAL
9.0 Mar 18

OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying

Share

EUVD-2026-23870 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy