OpenProject has Cross-Project Meeting Agenda Item Injection via Unscoped Section...

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Description

OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. Version 17.3.0 patches the issue.

Basic Information

ID CVE-2026-40896

Source GitHub_M

Published Apr 20, 2026 at 15:12

Modified Apr 20, 2026 at 16:13

Affected Product

Vendor opf

Product openproject

Version < 17.3.0

Affected Versions opf openproject < 17.3.0

CWE Classification

CWE-367 CWE-639

References

{
    "lastseen": "",
    "description": "OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance \u2014 even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. Version 17.3.0 patches the issue.",
    "published": "2026-04-20T15:12:52.279Z",
    "modified": "2026-04-20T16:13:10.714Z",
    "type": "cve",
    "title": "OpenProject has Cross-Project Meeting Agenda Item Injection via Unscoped Section Lookup",
    "source": "GitHub_M",
    "references": "https://github.com/opf/openproject/security/advisories/GHSA-hh5p-gwf8-h245\nhttps://github.com/opf/openproject/commit/8f693a1f35d0a84bb69af78fb6925f74329ae4fe",
    "id": "CVE-2026-40896",
    "bulletinFamily": "",
    "cwe": [
        "CWE-367",
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "opf openproject < 17.3.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "openproject",
    "version": "< 17.3.0",
    "vendor": "opf",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

OpenProject has Cross-Project Meeting Agenda Item Injection via Unscoped Section Lookup_CVE-2026-40896