The vulnerability is an IDOR in the OpenProject document update endpoint /api/v3/documents/{id}, allowing an attacker to supply a new project_id in a single PATCH request. Prior to releases 17.3.2 and 17.4.0, the system loads the target document with visibility checks and then updates it. During the update, attacker‑controlled attributes are applied to the persisted record before authorization is enforced. As a result, a user lacking the :manage_documents permission in the source project can move or modify foreign project documents by setting project_id, thereby compromising the integrity of project documents. The flaw falls under CWE‑639.

OpenProject, the open‑source web‑based project management platform, is affected by this vulnerability in all releases older than 17.3.2 and 17.4.0. Affected hosts running OpenProject 17.3.x prior to 17.3.2 or 17.4.x prior to 17.4.0 are susceptible. The CNA lists "opf:openproject" as the vendor/product, and the advisory specifies the patch versions that contain the fix.

The CVSS score is 4.3, indicating moderate severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. The exploit requires an authenticated user capable of issuing PATCH requests to the document endpoint. Because the authorization check is bypassed after document retrieval, the attack can be performed remotely over the web from any user who can authenticate to the OpenProject instance. The risk therefore depends on the presence of high‑privileged users and the document permission settings of the environment. Mitigation includes upgrading to a fixed version and enforcing proper access controls to prevent unauthorized document modifications.