Description
OpenProject is an open-source, web-based project management software. Users of OpenProject versions prior to 16.6.5 and 17.0.1 have the ability to view and end their active sessions via Account Settings → Sessions. When deleting a session, it was not properly checked if the session belongs to the user. As the ID that is used to identify these session objects use incremental integers, users could iterate requests using `DELETE /my/sessions/:id` and thus unauthenticate other users. Users did not have access to any sensitive information (like browser identifier, IP addresses, etc) of other users that are stored in the session. The problem was patched in OpenProject versions 16.6.5 and 17.0.1. No known workarounds are available as this does not require any permissions or other that can temporarily be disabled.
Published: 2026-01-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via unintended session termination
Action: Patch Immediately
AI Analysis

Impact

OpenProject allows authenticated users to terminate sessions of others due to a missing ownership check on the session delete endpoint. The deletion is performed by sending DELETE /my/sessions/:id requests where the :id value is a simple integer. Although no sensitive data such as IP or browser identifier is exposed, the ability to forcibly log out another user can disrupt work and impair collaborative processes. This flaw is a classic example of improper authorization leading to Denial of Service for legitimate users.

Affected Systems

The issue affects OpenProject versions released before 16.6.5 and 17.0.1. Customers running any earlier release of OpenProject should verify that their installation does not contain the buggy delete session endpoint.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5 and an EPSS score of less than 1%, indicating a moderate severity but a very low probability of current exploitation. It is not listed in the CISA KEV catalog. Based on the description, the attack vector is local: an attacker must first authenticate to the web application. Once authenticated, the attacker can iterate numeric session IDs and send delete requests, force‑logging out other users regardless of permission level. The flaw requires no elevated privileges and no additional conditions beyond a valid authenticated session.

Generated by OpenCVE AI on April 18, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • upgrade OpenProject to version 16.6.5 or newer in the 16.x line, or to 17.0.1 or newer in the 17.x line
  • ensure that the session deletion API enforce ownership checks or restrict DELETE /my/sessions/:id to the session owner only
  • implement monitoring of session deletion activity to detect any anomalous or non‑owner requests

Generated by OpenCVE AI on April 18, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*
cpe:2.3:a:openproject:openproject:17.0.0:*:*:*:*:*:*:*

Tue, 20 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Openproject
Openproject openproject
Vendors & Products Openproject
Openproject openproject

Mon, 19 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
Description OpenProject is an open-source, web-based project management software. Users of OpenProject versions prior to 16.6.5 and 17.0.1 have the ability to view and end their active sessions via Account Settings → Sessions. When deleting a session, it was not properly checked if the session belongs to the user. As the ID that is used to identify these session objects use incremental integers, users could iterate requests using `DELETE /my/sessions/:id` and thus unauthenticate other users. Users did not have access to any sensitive information (like browser identifier, IP addresses, etc) of other users that are stored in the session. The problem was patched in OpenProject versions 16.6.5 and 17.0.1. No known workarounds are available as this does not require any permissions or other that can temporarily be disabled.
Title OpenProject users can delete other user's session, causing them to be logged out
Weaknesses CWE-488
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Openproject Openproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T14:54:40.162Z

Reserved: 2026-01-14T16:08:37.484Z

Link: CVE-2026-23646

cve-icon Vulnrichment

Updated: 2026-01-20T14:54:36.799Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T18:16:05.587

Modified: 2026-02-02T20:46:13.157

Link: CVE-2026-23646

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:00:04Z

Weaknesses