Description
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when editing a project budget and planning the labor cost, it was not checked that the user that was planned in the budget is actually a project member. This exposed the user's default rate (if one was set up) to users that should only see that information for project members. Also, the endpoint that handles the pre-calculation for the frontend to display a preview of the costs, while it was being entered, did not properly validate the membership of the user as well. This also allowed to calculate costs with the default rate of non-members. This vulnerability is fixed in 17.2.0.
Published: 2026-03-11
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Now
AI Analysis

Impact

The vulnerability in OpenProject allows a user to include a non‑member in a project budget or preview calculation without the system verifying that the user is actually a member of the project. As a result, the system exposes the default hourly rate of the non‑member, leaking individualized cost information. This weakness is classified as CWE‑863, a missing permission check that permits unauthorized data exposure.

Affected Systems

All OpenProject deployments running a version earlier than 17.2.0 are susceptible. This includes both self‑hosted and cloud‑hosted installations that use the project budget editing or preview features.

Risk and Exploitability

The CVSS score of 4.3 indicates low severity, and the EPSS score is below 1%, suggesting a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers who have authenticated access to budget editing or preview endpoints and the appropriate permissions can supply the identifier of a non‑member user to retrieve that user’s default rate, thereby compromising confidential cost data.

Generated by OpenCVE AI on March 20, 2026 at 17:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenProject to version 17.2.0 or later to enforce membership checks during budget calculations.
  • Verify that the upgrade prevents inclusion of non‑member users in budget edits or preview calculations.
  • Review user accounts to ensure default hourly rates are not exposed to unauthorized staff.
  • Monitor access logs for repeated attempts to query budget endpoints with non‑member identifiers and apply additional access controls if necessary.

Generated by OpenCVE AI on March 20, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Openproject
Openproject openproject
CPEs cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*
Vendors & Products Openproject
Openproject openproject

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Opf
Opf openproject
Vendors & Products Opf
Opf openproject

Wed, 11 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when editing a project budget and planning the labor cost, it was not checked that the user that was planned in the budget is actually a project member. This exposed the user's default rate (if one was set up) to users that should only see that information for project members. Also, the endpoint that handles the pre-calculation for the frontend to display a preview of the costs, while it was being entered, did not properly validate the membership of the user as well. This also allowed to calculate costs with the default rate of non-members. This vulnerability is fixed in 17.2.0.
Title OpenProject users that are not project members can be used to calculate Labor Budget, leaking their global hourly rate
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Openproject Openproject
Opf Openproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T17:14:22.003Z

Reserved: 2026-03-04T17:23:59.798Z

Link: CVE-2026-30236

cve-icon Vulnrichment

Updated: 2026-03-11T17:14:13.174Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T17:16:57.623

Modified: 2026-03-13T19:02:34.213

Link: CVE-2026-30236

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:55:24Z

Weaknesses