7.1
CVE-2026-40896
- EPSS 0.17%
- Veröffentlicht 20.04.2026 15:12:52
- Zuletzt bearbeitet 23.04.2026 13:45:17
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginOpenProject has Cross-Project Meeting Agenda Item Injection via Unscoped Section Lookup
OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. Version 17.3.0 patches the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Openproject ≫ Openproject Version < 17.3.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.17% | 0.07 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.1 | 2.8 | 4.2 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
|
| security-advisories@github.com | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
|
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
https://github.com/opf/openproject/security/advisories/GHSA-hh5p-gwf8-h245
https://github.com/opf/openproject/commit/8f693a1f35d0a84bb69af78fb6925f74329ae4fe