CVE-2026-52782 - Vulnerability Details

Description

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources. A project-admin in one project can hijack the managed Nextcloud or OneDrive folder of another project on the same storage by writing the victim project's project_folder_id into the attacker's Storages::ProjectStorage row. The next managed-folder sync overwrites the ACL on the referenced folder with the attacker project's user list. This vulnerability is fixed in 17.3.3 and 17.4.1.

Published: 2026-06-26

Score: 9.9 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

OpenProject versions prior to 17.3.3 (for the 17.x line) and prior to 17.4.1 contain a direct‑unlinking of IDOR vulnerability. A project‑administrator can modify the "storages_project_storage[project_folder_id]" PATCH parameter on the endpoint /projects/<A>/settings/project_storages/<A_ps_id> to point a storage entity to a folder belonging to another project. The next automatic sync of that storage overwrites the access control list of the target folder with the attacker project’s user list, effectively granting the attacker all users of the target project access to that folder. The flaw directly results in unauthorized disclosure or manipulation of project resources.

Affected Systems

The affected product is OpenProject, a web‑based project management platform. All installations running any version prior to 17.3.3 for the 17.x series or prior to 17.4.1 are vulnerable. No other versions are listed as affected.

Risk and Exploitability

The CVSS score is 9.9, indicating critical severity. EPSS data is not provided, but the flaw requires an authenticated project‑administrator, which may limit the number of potential attackers. It is not listed in the CISA KEV catalog. An attacker must have administrative permissions on a project and must be able to send authenticated PATCH requests to the vulnerable endpoint. Once exploited, the attacker gains full access to the target project’s storage folder, enabling data exposure or modification.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

opf

openproject

affected

Version	Status	Constraints
`< 17.3.3`	affected	—
`>= 17.4.0, < 17.4.1`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade OpenProject to version 17.3.3 or 17.4.1 or later to apply the vendor fix.
If an upgrade is not immediately possible, restrict permissions so that only trusted administrators can edit project storage settings and audit current "storages_project_storage" entries for unintended folder IDs.
Review and update storage ACLs on all projects to confirm that the correct project folder IDs are associated and revoke access where appropriate.

Generated by OpenCVE AI on June 26, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/opf/openproject/security/advisories/GHSA-3vpx-94qx-xpw6

History

Fri, 26 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources. A project-admin in one project can hijack the managed Nextcloud or OneDrive folder of another project on the same storage by writing the victim project's project_folder_id into the attacker's Storages::ProjectStorage row. The next managed-folder sync overwrites the ACL on the referenced folder with the attacker project's user list. This vulnerability is fixed in 17.3.3 and 17.4.1.
Title		OpenProject: IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources
Weaknesses		CWE-639
References		https://github.com/opf/openproject/security/advisories/GHSA-3vpx-94qx-xpw6
Metrics		cvssV3_1 `{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-26T18:59:27.758Z

Updated: 2026-06-26T18:59:27.758Z

Reserved: 2026-06-08T17:13:43.065Z

Link: CVE-2026-52782

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T20:30:06Z

Weaknesses

CWE-639
Authorization Bypass Through User-Controlled Key

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object