Description

OpenProject is an open-source, web-based project management software. Users of OpenProject versions prior to 16.6.5 and 17.0.1 have the ability to view and end their active sessions via Account Settings → Sessions. When deleting a session, it was not properly checked if the session belongs to the user. As the ID that is used to identify these session objects use incremental integers, users could iterate requests using `DELETE /my/sessions/:id` and thus unauthenticate other users. Users did not have access to any sensitive information (like browser identifier, IP addresses, etc) of other users that are stored in the session. The problem was patched in OpenProject versions 16.6.5 and 17.0.1. No known workarounds are available as this does not require any permissions or other that can temporarily be disabled.

INFO

Published Date :

2026-01-19T17:48:03.082Z

Last Modified :

2026-01-20T14:54:40.162Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-23646 vulnerability.

Vendors Products
Openproject
  • Openproject
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-23646.

URL Resource
https://github.com/opf/openproject/releases/tag/v16.6.5 cve-icon cve-icon
https://github.com/opf/openproject/releases/tag/v17.0.1 cve-icon cve-icon
https://github.com/opf/openproject/security/advisories/GHSA-w422-xf8f-v4vp cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact