Description
OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. Version 17.3.0 patches the issue.
Published: 2026-04-20
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized users can inject agenda items into meetings of projects they do not own or have access to
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in OpenProject allows an attacker who has the manage_agendas permission in any project to inject agenda items into meetings belonging to projects the attacker has no access to. The flaw resides in an unscoped section lookup that permits the attacker to specify arbitrary section identifiers, leading to creation of agenda items in any meeting without needing to discover target project details. This cross‑project injection can deface meeting agendas, insert misleading information, or facilitate social engineering attacks. The weakness is related to unauthorized data manipulation (CWE‑367, CWE‑639).

Affected Systems

Versions of OpenProject prior to 17.3.0 are affected. Any instance running a vulnerable version and with users granted the manage_agendas permission for any project can be exploited. The vulnerability does not depend on specific application modules or operating systems; it is purely a feature logic flaw in the OpenProject application code.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that it is not known to be actively exploited yet. An attacker only needs a legitimate user account with manage_agendas permission; no additional knowledge of target meetings or projects is required, so the attack vector is internal and can be executed by a malicious user with standard project‑level privileges. The lack of advanced privilege escalation or credential compromise makes the exploitation straightforward for anyone with the required permission.

Generated by OpenCVE AI on April 20, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenProject to version 17.3.0 or later, which contains the patch for the unscoped section lookup flaw.
  • Restrict the manage_agendas permission to administrators or trusted users only, removing it from regular project members to prevent cross‑project agenda injection.
  • If an upgrade cannot be performed immediately, monitor meeting agenda logs for unauthorized items and conduct regular audits of meeting schedules to detect and mitigate tampering.

Generated by OpenCVE AI on April 20, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Opf
Opf openproject
Vendors & Products Opf
Opf openproject

Mon, 20 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. Version 17.3.0 patches the issue.
Title OpenProject has Cross-Project Meeting Agenda Item Injection via Unscoped Section Lookup
Weaknesses CWE-367
CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Opf Openproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T16:13:10.714Z

Reserved: 2026-04-15T16:37:22.766Z

Link: CVE-2026-40896

cve-icon Vulnrichment

Updated: 2026-04-20T16:12:58.827Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T16:16:48.567

Modified: 2026-04-20T19:03:07.607

Link: CVE-2026-40896

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:30:12Z

Weaknesses