CVE-2026-40896 PUBLISHED

OpenProject has Cross-Project Meeting Agenda Item Injection via Unscoped Section Lookup

Assigner: GitHub_M
Reserved: 15.04.2026 Published: 20.04.2026 Updated: 20.04.2026

OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with manage_agendas permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. Version 17.3.0 patches the issue.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	opf
Product	openproject
Versions	Version < 17.3.0 is affected

References

Problem Types

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition CWE
CWE-639: Authorization Bypass Through User-Controlled Key CWE