Description
OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, a Missing Authorization vulnerability exists in OpenProject's CostReportsController. The rename and update actions allow any authenticated user to modify the name, filters, and grouping of any Public cost report in the system without verifying ownership or permission level. An attacker who discovers or guesses a public report's numeric ID can rename or overwrite its filter configuration without any warning to the report's owner. This vulnerability is fixed in 17.3.2 and 17.4.0.
Published: 2026-06-26
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Missing Authorization flaw (CWE‑862) in the CostReportsController. The rename and update actions permit any authenticated user to change the name, filters, and grouping of any public cost report, circumventing ownership checks. An attacker who learns or guesses a public report’s numeric identifier can rename the report or overwrite its filter configuration without the owner’s knowledge, potentially compromising reporting accuracy and data integrity.

Affected Systems

Affected products are OpenProject web‑based project management software from the opf organization. Versions prior to 17.3.2 and 17.4.0 are vulnerable; all builds before those releases should be considered affected until the patch is applied.

Risk and Exploitability

The flaw carries a CVSS score of 6.5, indicating moderate severity. Exploitation requires an authenticated account, and the attacker must locate a public report identifier. The EPSS score is unavailable, and the issue is not listed in the CISA KEV catalog. Although the attack vector is limited to authenticated users, the lack of authorization checks makes the vulnerability exploitable in environments where many users have public report access.

Generated by OpenCVE AI on June 26, 2026 at 21:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenProject to version 17.3.2 or later, or 17.4.0 or later, which contain the authorization fix for cost report rename and update actions.
  • Restrict public access to cost reports by reviewing and tightening role permissions, ensuring only trusted users can view or modify public reports.
  • Audit existing public cost reports for unintended changes and apply corrective actions, such as resetting filters and names, to mitigate potential data tampering.

Generated by OpenCVE AI on June 26, 2026 at 21:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Opf
Opf openproject
Vendors & Products Opf
Opf openproject

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, a Missing Authorization vulnerability exists in OpenProject's CostReportsController. The rename and update actions allow any authenticated user to modify the name, filters, and grouping of any Public cost report in the system without verifying ownership or permission level. An attacker who discovers or guesses a public report's numeric ID can rename or overwrite its filter configuration without any warning to the report's owner. This vulnerability is fixed in 17.3.2 and 17.4.0.
Title OpenProject: Improper Access Control on OpenProject through the POST request to /projects/[PROJECT_NAME]/cost_reports/[REPORT_ID]/rename
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Opf Openproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T19:33:08.650Z

Reserved: 2026-05-07T18:04:17.309Z

Link: CVE-2026-44734

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T01:15:08Z

Weaknesses