Description
OpenProject is an open-source, web-based project management software. Prior to versions 17.0.5 and 17.1.2, an attacker can create wiki pages belonging to unpermitted projects through an improperly authenticated request. This issue has been patched in versions 17.0.5 and 17.1.2.
Published: 2026-03-05
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation / Unauthorized Content Creation
Action: Apply Patch
AI Analysis

Impact

An insufficient access control flaw in OpenProject allows an authenticated user to create wiki pages that belong to projects they are not permitted to access. This flaw does not provide remote code execution or data exfiltration, but it enables an attacker to add, modify, or delete content in any project where they normally have no write authority. Such unauthorized creation can be used to deface, inject misleading information, or ship content that may later be linked to malicious campaigns. The vulnerability is characterized by CWEs that denote an authorization weakness in application logic.

Affected Systems

The issue exists in OpenProject releases prior to 17.0.5 and 17.1.2. Any deployment using those earlier versions and not yet patched is susceptible. The vulnerability was publicly disclosed through the OpenProject releases and security advisory channels.

Risk and Exploitability

The CVSS score of 4.3 indicates medium severity. The EPSS of <1% suggests a low likelihood of widespread exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. The attack requires an authenticated session and the ability to craft a web request targeting the wiki creation endpoint; the vector is likely remote via standard HTTP(S) traffic. The low exploitation probability reflects the need for an access token and the scarcity of public exploitation evidence.

Generated by OpenCVE AI on April 16, 2026 at 12:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenProject to version 17.0.5 or later if running 17.0.x, or to version 17.1.2 or later if on the 17.1.x branch to apply the vendor patch that fixes the access control flaw.
  • If upgrading is not immediately possible, restrict user permissions so that only authorized project members can access the wiki creation endpoint and monitor logs for unauthorized write attempts.
  • Review and tighten role definitions and project access settings to ensure that users cannot create or modify wiki content in projects beyond their scope of work.

Generated by OpenCVE AI on April 16, 2026 at 12:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Openproject
Openproject openproject
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*
Vendors & Products Openproject
Openproject openproject

Fri, 06 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Opf
Opf openproject
Vendors & Products Opf
Opf openproject

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description OpenProject is an open-source, web-based project management software. Prior to versions 17.0.5 and 17.1.2, an attacker can create wiki pages belonging to unpermitted projects through an improperly authenticated request. This issue has been patched in versions 17.0.5 and 17.1.2.
Title OpenProject: Insufficient access control leads to create Wiki objects belongs unpermitted projects
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Openproject Openproject
Opf Openproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:11:41.415Z

Reserved: 2026-02-23T18:37:14.789Z

Link: CVE-2026-27723

cve-icon Vulnrichment

Updated: 2026-03-06T15:50:54.960Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T19:16:05.660

Modified: 2026-03-10T18:21:31.617

Link: CVE-2026-27723

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:30:06Z

Weaknesses