6.7

CVE-2026-24777

EPSS 0.32%
Veröffentlicht 09.02.2026 18:28:45
Zuletzt bearbeitet 11.02.2026 18:28:40
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OpenProject has Improper Access Control on User Management allows user managers to lock admin accounts

OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for users of the application, but they were not supposed to be able to lock application administrators. Due to a missing permission check this logic was not enforced. The problem was fixed in OpenProject 17.0.2The problem was fixed in OpenProject 17.0.2.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Openproject ≫ Openproject Version < 17.0.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.32%	0.236

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.7	1.2	5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/opf/openproject/releases/tag/v17.0.2

Release Notes

https://github.com/opf/openproject/security/advisories/GHSA-fq66-cwg6-qq69

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-24777

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-24777

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-24777

EUVD