Description
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a CSRF on TARGET through /users/:id via POST parameter "user[admin]". This vulnerability is fixed in 17.3.3 and 17.4.1.
Published: 2026-06-26
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to alter the "user[admin]" field via a POST request to /users/:id. This CSRF flaw can elevate a non‑admin user’s permissions by granting them administrative authority, potentially compromising the entire application. The weakness is classified as CWE‑352, highlighting the risk of unauthorized state change without proper verification.

Affected Systems

Affected are installations of OpenProject prior to version 17.3.3 and prior to version 17.4.1, regardless of deployment environment. Any version of OpenProject lacking the patch is susceptible.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, but the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Exploitation likely requires the victim to be logged into a target OpenProject instance and to visit a malicious site that posts to the vulnerable endpoint. The attacker can then set the admin flag for the victim’s account or another user, enabling full control over project data. The high score combined with the common CSRF attack vector makes this a significant risk for organizations whose users have administrative editing privileges.

Generated by OpenCVE AI on June 26, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenProject 17.3.3 or later, or to 17.4.1 or later, which contain the CSRF fix.
  • Restrict the ability to edit the admin flag by reviewing and tightening role‑based permissions for user modifications.
  • If a patch cannot be applied immediately, ensure that all authenticated users are protected by a properly validated CSRF token and that the "user[admin]" parameter is not exposed in publicly accessible forms.

Generated by OpenCVE AI on June 26, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a CSRF on TARGET through /users/:id via POST parameter "user[admin]". This vulnerability is fixed in 17.3.3 and 17.4.1.
Title OpenProject: CSRF on TARGET through /users/:id via POST parameter "user[admin]"
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T19:44:25.656Z

Reserved: 2026-06-08T17:13:43.066Z

Link: CVE-2026-52784

cve-icon Vulnrichment

Updated: 2026-06-26T19:44:05.315Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T20:30:06Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)