CVE-2026-44732 in openproject
Summary
by MITRE • 06/26/2026
OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, OpenProject exposes a document update endpoint used to modify existing documents. The target document is loaded with visibility checks and then updated. During update, attacker-controlled attributes are applied to the persisted record before authorization is enforced. As a result, a user without :manage_documents in the source project can move and modify foreign project documents by setting project_id in a single PATCH request. This vulnerability is fixed in 17.3.2 and 17.4.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/27/2026
This vulnerability exists within OpenProject's document management system where a privilege escalation flaw allows unauthorized users to manipulate documents across project boundaries. The issue stems from improper authorization enforcement during the document update process, specifically in how the system handles the project_id attribute during PATCH operations. When an attacker submits a document update request, the system first loads the target document with visibility checks but fails to enforce proper authorization controls before applying attacker-controlled attributes to the persisted record.
The technical flaw manifests as a race condition between document loading and authorization enforcement, where the system applies user-supplied project_id values before verifying whether the requesting user has appropriate permissions in the target project. This design weakness creates an opportunity for attackers with basic document access privileges to elevate their capabilities and modify documents in projects where they lack the required :manage_documents permission. The vulnerability is particularly concerning because it allows lateral movement between projects without proper access controls, effectively bypassing the intended security boundaries that separate different project spaces within the same OpenProject instance.
The operational impact of this vulnerability extends beyond simple data modification as it enables attackers to perform unauthorized document manipulation across project boundaries, potentially leading to information disclosure, data integrity compromise, and disruption of project workflows. An attacker could move critical documents from one project to another, modify their content, or even delete them entirely, all while remaining undetected by normal access control mechanisms. This type of vulnerability directly violates the principle of least privilege and can result in significant business impact when sensitive project information is exposed or altered without proper authorization.
Security professionals should implement immediate mitigations including upgrading to OpenProject versions 17.3.2 or 17.4.0 where this vulnerability has been addressed through proper authorization enforcement before attribute application. Additional defensive measures include implementing network-level restrictions on document update endpoints, monitoring for unusual project_id changes in audit logs, and conducting regular security assessments of API endpoint access controls. This vulnerability aligns with CWE-284 Access Control Issues and maps to ATT&CK technique T1078 Valid Accounts, as it exploits legitimate user permissions to gain elevated access through improper privilege enforcement. Organizations should also consider implementing additional monitoring for unauthorized project boundary crossings within their document management systems to detect similar patterns of abuse in other applications.