CVE-2026-24777 - Vulnerability Details

- OpenProject has Improper Access Control on User Management allows user managers to lock admin accounts

Description

OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for users of the application, but they were not supposed to be able to lock application administrators. Due to a missing permission check this logic was not enforced. The problem was fixed in OpenProject 17.0.2The problem was fixed in OpenProject 17.0.2.

Published: 2026-02-09

Score: 6.7 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

OpenProject, an open‑source project‑management platform, contains a flaw that permits any user granted the Manage Users permission to lock or unlock any account, including those belonging to application administrators. The missing permission check allows a legitimate user to disable administrative access, resulting in a denial of service for critical management functions. The weakness is a missing authorization check, identified as CWE‑862.

Affected Systems

The vulnerability affects OpenProject installations prior to version 17.0.2. Any role with Manage Users rights, regardless of other privileges, can target administrator accounts. Versions 17.0.2 and later have the fix in place.

Risk and Exploitability

The CVSS score of 6.7 indicates moderate severity, while the EPSS score of less than 1 % reflects a very low probability of exploitation in the wild. The issue is not listed in the CISA KEV catalog. Exploitation requires a legitimate user with Manage Users rights, so an attacker would typically be an insider or one who has gained such permissions. Although it does not enable remote code execution, it permits administrative lock‑out, which can disrupt project‑management operations.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

opf

openproject

affected

Version	Status	Constraints
`< 17.0.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Opf

Openproject

—

Version	Status	Scheme	Platform
`[0,17.0.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to OpenProject 17.0.2 or later to apply the vendor patch.
Revoke the Manage Users permission from any users who do not require it, ensuring only trusted personnel retain account‑management rights.
Continuously audit lock/unlock activity logs and set alerts for repeated lock attempts on administrator accounts to detect potential abuse.

Generated by OpenCVE AI on April 18, 2026 at 13:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00062.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/opf/openproject/releases/tag/v17.0.2
https://github.com/opf/openproject/security/advisories/GHSA-fq66-cwg6-qq69

History

Wed, 11 Feb 2026 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openproject Openproject openproject
CPEs		cpe:2.3:a:openproject:openproject::::::::
Vendors & Products		Openproject Openproject openproject

Tue, 10 Feb 2026 12:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Opf Opf openproject
Vendors & Products		Opf Opf openproject

Mon, 09 Feb 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Feb 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for users of the application, but they were not supposed to be able to lock application administrators. Due to a missing permission check this logic was not enforced. The problem was fixed in OpenProject 17.0.2The problem was fixed in OpenProject 17.0.2.
Title		OpenProject has Improper Access Control on User Management allows user managers to lock admin accounts
Weaknesses		CWE-862
References		https://github.com/opf/openproject/releases/tag/v17.0.2 https://github.com/opf/openproject/security/advisories/GHSA-fq66-cwg6-qq69
Metrics		cvssV3_1 `{'score': 6.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H'}`

Subscriptions

Openproject Openproject

Opf Openproject

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-09T18:28:45.146Z

Updated: 2026-02-09T19:14:26.197Z

Reserved: 2026-01-26T21:06:47.869Z

Link: CVE-2026-24777

Vulnrichment

Updated: 2026-02-09T19:14:21.379Z

NVD

Status : Analyzed

Published: 2026-02-09T19:15:50.200

Modified: 2026-02-11T18:28:40.220

Link: CVE-2026-24777

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T13:15:25Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object