CVE-2026-30239

OpenProject has a Permission Check bypass on Budget deletion allows reassignment of WorkPackages into other budgets

Description

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action was executed. This allowed all users in the application to delete work package budget assignments. This vulnerability is fixed in 17.2.0.

INFO

Published Date :

2026-03-11T16:27:31.895Z

Last Modified :

2026-03-11T17:12:12.088Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-30239 vulnerability.

Vendors	Products
Openproject	Openproject
Opf	Openproject

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-30239.

URL	Resource
https://github.com/opf/openproject/security/advisories/GHSA-gpvh-g967-g4h8

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact