Description

OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. Version 17.3.0 patches the issue.

INFO

Published Date :

2026-04-20T15:12:52.279Z

Last Modified :

2026-04-20T16:13:10.714Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40896 vulnerability.

Vendors Products
Openproject
  • Openproject
Opf
  • Openproject
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40896.

URL Resource
https://github.com/opf/openproject/commit/8f693a1f35d0a84bb69af78fb6925f74329ae4fe cve-icon cve-icon
https://github.com/opf/openproject/security/advisories/GHSA-hh5p-gwf8-h245 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact