CVE-2026-52779 - Vulnerability Details

Description

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public Calendar or Team Planner Queries from another project where they do not have the corresponding management permissions. Both modules authorize the request against the project identified by :project_id in the URL, but the actual Query object is loaded later by :id from Query.visible(current_user) without verifying that the loaded Query belongs to the authorized project. As a result, an attacker can use permissions from Project A to delete shared/public Calendar or Team Planner views from Project B, causing integrity impact and limited availability impact for users relying on those shared views. This vulnerability is fixed in 17.3.3 and 17.4.1.

Published: 2026-06-26

Score: 5.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

OpenProject versions prior to 17.3.3 and 17.4.1 contain a cross‑project IDOR that lets a user with project‑management rights delete shared or public Calendar or Team Planner queries from another project where they lack those rights. The vulnerability enables removal of metadata that users rely on for collaboration, thereby corrupting the integrity of project data and causing a limited loss of availability for teams dependent on those shared views.

Affected Systems

The affected application is OpenProject, an open‑source, web‑based project management tool. The flaw exists in all versions before 17.3.3 and 17.4.1 and impacts the Calendar and Team Planner modules.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, and the EPSS score is unavailable, so the likelihood of exploitation is uncertain. The vulnerability is not listed in CISA’s KEV catalog. An attacker with management permissions on one project can craft a URL containing the target project’s ID and the query's ID; the application subsequently loads the query without verifying that it belongs to the requested project, allowing the deletion. This attack requires only an authenticated session and no additional privileges beyond existing project management rights.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

opf

openproject

affected

Version	Status	Constraints
`< 17.3.3`	affected	—
`>= 17.4.0, < 17.4.1`	affected	—

No data.

Vendor Product Confidence Versions

Opf

Openproject

100%

Version	Status	Scheme	Platform
`[0,17.3.3)`	affected	semver	—
`[17.4.0,17.4.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade OpenProject to version 17.3.3 or newer, or 17.4.1 or newer, which removes the IDOR flaw.
Limit the assignment of project‑management permissions to reduce the number of users who could exploit the vulnerability.
Enable audit logging for query deletions and regularly review logs for unauthorized removals.

Generated by OpenCVE AI on June 26, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/opf/openproject/security/advisories/GHSA-jrx5-px3f-vfq4

History

Fri, 26 Jun 2026 23:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Opf Opf openproject
Vendors & Products		Opf Opf openproject

Fri, 26 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public Calendar or Team Planner Queries from another project where they do not have the corresponding management permissions. Both modules authorize the request against the project identified by :project_id in the URL, but the actual Query object is loaded later by :id from Query.visible(current_user) without verifying that the loaded Query belongs to the authorized project. As a result, an attacker can use permissions from Project A to delete shared/public Calendar or Team Planner views from Project B, causing integrity impact and limited availability impact for users relying on those shared views. This vulnerability is fixed in 17.3.3 and 17.4.1.
Title		OpenProject: Cross-project authorization bypass allows deleting public Calendar and Team Planner queries from unauthorized projects
Weaknesses		CWE-639 CWE-863
References		https://github.com/opf/openproject/security/advisories/GHSA-jrx5-px3f-vfq4
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}`

Subscriptions

Opf Openproject

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-26T19:02:50.790Z

Updated: 2026-06-26T19:02:50.790Z

Reserved: 2026-06-08T17:13:43.065Z

Link: CVE-2026-52779

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T22:45:05Z

Weaknesses

CWE-639
Authorization Bypass Through User-Controlled Key
CWE-863
Incorrect Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object