CVE-2026-24776

EPSS 0.03%
Veröffentlicht 06.02.2026 18:15:58
Zuletzt bearbeitet 23.02.2026 18:14:32
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting (or is the backlog, in case of recurring meetings). This allowed an attacker to move a meeting agenda item into a different meeting. The attacker did not get access to meetings, but they could add arbitrary agenda items, that could cause confusions. The vulnerability is fixed in 17.0.2.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Openproject ≫ Openproject Version < 17.0.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.088

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://github.com/opf/openproject/releases/tag/v17.0.2

Release Notes

https://github.com/opf/openproject/security/advisories/GHSA-p9v8-w9ph-hqmf

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-24776

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-24776

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-24776

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-24776