Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network PATCH with low complexity but requires project-admin (PR:L); cross-project/storage impact gives S:C with C:H and I:H (ACL overwrite), A:L since victims may lose folder access.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources. A project-admin in one project can hijack the managed Nextcloud or OneDrive folder of another project on the same storage by writing the victim project's project_folder_id into the attacker's Storages::ProjectStorage row. The next managed-folder sync overwrites the ACL on the referenced folder with the attacker project's user list. This vulnerability is fixed in 17.3.3 and 17.4.1.
AnalysisAI
Cross-project folder hijacking in OpenProject before 17.3.3 and 17.4.1 lets a project-admin abuse an insecure direct object reference (CWE-639) to take over another project's managed Nextcloud or OneDrive storage folder. By PATCHing the storages_project_storage[project_folder_id] parameter on /projects/<id>/settings/project_storages/<ps_id>, an attacker writes a victim project's folder ID into their own ProjectStorage row, and the next managed-folder sync rewrites the target folder's ACL to the attacker's project member list. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker already hold project-admin (PR:L) on at least one project, that the OpenProject instance use the Nextcloud or OneDrive/SharePoint file-storage integration with the 'managed folder' automation enabled, and that the attacker's project and the victim's project share the same underlying storage backend so their folder IDs are addressable from the same ProjectStorage scope. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are partially aligned and partially missing. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who is project-admin of a low-value project on a shared Nextcloud storage learns or guesses the project_folder_id of a sensitive project, then sends a crafted PATCH request setting storages_project_storage[project_folder_id] to that value on their own project's storage settings. When the next managed-folder sync runs, OpenProject overwrites the victim folder's ACL with the attacker's project members, granting them read/write access to confidential files and locking out legitimate users. … |
| Remediation | Vendor-released patch: upgrade to OpenProject 17.3.3 or 17.4.1 (whichever matches your branch), per advisory https://github.com/opf/openproject/security/advisories/GHSA-3vpx-94qx-xpw6. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and document all OpenProject deployments and versions in use; audit which projects have Nextcloud or OneDrive integrations enabled; consider temporarily disabling cloud storage integrations if operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Openproject
View allAuthenticated remote code execution affects the official openproject/openproject Docker image, which ships with a hardco
SQL injection in OpenProject's baseline-comparison (timestamps) functionality lets an authenticated, low-privileged user
SQL injection in OpenProject's reporting module allows authenticated attackers to execute arbitrary database queries via
OpenProject has a CVSS 9.9 command injection vulnerability allowing authenticated users to execute OS commands on the pr
Remote code execution in OpenProject before 17.3.3 and 17.4.1 arises from cache store poisoning, allowing an attacker wi
OpenProject, a web-based project management platform, contains a critical SQL injection vulnerability in versions prior
OpenProject (before 16.6.4) has a local file read vulnerability through SVG-based ImageMagick exploitation in the PDF ex
OpenProject's Repositories module contains a stored cross-site scripting (XSS) vulnerability that occurs when displaying
Token decryption in OpenProject 17.0 allows authenticated attackers to intercept and decrypt 24-hour authentication toke
Arbitrary file write in OpenProject versions before 16.6.6 and 17.0.2 allows authenticated users with repository browse
Privilege escalation in OpenProject before 17.3.3 and 17.4.1 lets an attacker forge a cross-site request to /users/:id c
Stored XSS in OpenProject versions 16.3.0-16.6.4 allows authenticated users to inject arbitrary HTML/JavaScript through
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39870