Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CSRF needs the victim to load attacker content (UI:R) and the attacker holds no account (PR:N); abuse of the victim's admin session grants full admin, so C/I/A all High.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a CSRF on TARGET through /users/:id via POST parameter "user[admin]". This vulnerability is fixed in 17.3.3 and 17.4.1.
AnalysisAI
Privilege escalation in OpenProject before 17.3.3 and 17.4.1 lets an attacker forge a cross-site request to /users/:id carrying the POST parameter user[admin], coercing a logged-in privileged user's browser into granting administrator rights to an arbitrary account. The flaw (CWE-352) rates CVSS 8.8 because a successful forgery yields full administrative control over the instance; no public exploit is identified at time of analysis and it is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation targets the /users/:id update endpoint and specifically requires the forged request to set the POST parameter user[admin], so the precondition is that a victim with rights to modify user accounts (an existing administrator) has an active authenticated OpenProject session in a browser that loads the attacker's page. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS:3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = 8.8) is internally inconsistent with a CSRF weakness: classic CSRF requires the victim to load attacker content, which should be UI:R, and the attacker themselves usually holds no account (PR:N) while abusing the victim's session - so the published UI:N/PR:L pairing should be verified against the GHSA advisory rather than trusted at face value. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a web page with a hidden auto-submitting form that POSTs to https://victim-openproject/users/<attacker_account_id> with user[admin]=1, then lures a currently-logged-in OpenProject administrator to that page; the victim's browser submits the request with their session cookies and the attacker's account is silently elevated to administrator. No public proof-of-concept is identified at time of analysis, and the low attack complexity means a working forge is trivial to build once the endpoint behavior is known. |
| Remediation | Vendor-released patch: upgrade to OpenProject 17.3.3 (for 17.3.x deployments) or 17.4.1 (for 17.4.x deployments), per advisory GHSA-6crw-7f5r-4qj9 (https://github.com/opf/openproject/security/advisories/GHSA-6crw-7f5r-4qj9). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all OpenProject deployments and identify current versions in the 17.3.x and 17.4.x lines. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Openproject
View allAuthenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardco
Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct obj
SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user
SQL injection in OpenProject's reporting module allows authenticated attackers to execute arbitrary database queries via
OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the pr
Remote code execution in OpenProject before 17.3.3 and 17.4.1 arises from cache store poisoning, allowing an attacker wi
OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior
OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF ex
OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying
Token decryption in OpenProject 17.0 allows authenticated attackers to intercept and decrypt 24-hour authentication toke
Arbitrary file write in OpenProject versions before 16.6.6 and 17.0.2 allows authenticated users with repository browse
Stored XSS in OpenProject versions 16.3.0-16.6.4 allows authenticated users to inject arbitrary HTML/JavaScript through
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39868