Prior to OpenProject version 17.2.0, the application performed the reassignment of WorkPackages to a new budget before validating the delete permissions. This permission‑check bypass exposed a capability that any authenticated user could exploit to delete budget assignments and transfer WorkPackages into arbitrary other budgets, thereby bypassing intended access controls and corrupting project data integrity. The weakness aligns with CWE‑863 (Incorrect Permission Assignment for Critical Functionality).

The vulnerability affects OpenProject deployments with any version earlier than 17.2.0, as identified via the vendor identifier opf:openproject and the corresponding CPE string. It applies to all installations of the OpenProject web application that have the budgeting feature enabled. No specific sub‑versions are listed, so all builds prior to the 17.2.0 release are unpatched.

The CVSS base score of 6.5 indicates a moderate severity impact. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an authenticated web‑based interaction; any user with permission to view the application can perform the delete operation, as the description notes that “all users in the application” can trigger the bypass. Exploitation requires no special privilege beyond standard application access, making it relatively easy for malicious actors within an organization to corrupt budgeting data once they gain user credentials or have a compromised account.