CVE-2026-52779 in openproject
Summary
by MITRE • 06/26/2026
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public Calendar or Team Planner Queries from another project where they do not have the corresponding management permissions. Both modules authorize the request against the project identified by :project_id in the URL, but the actual Query object is loaded later by :id from Query.visible(current_user) without verifying that the loaded Query belongs to the authorized project. As a result, an attacker can use permissions from Project A to delete shared/public Calendar or Team Planner views from Project B, causing integrity impact and limited availability impact for users relying on those shared views. This vulnerability is fixed in 17.3.3 and 17.4.1.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/27/2026
This vulnerability represents a critical authorization flaw in OpenProject's web-based project management platform that exploits a fundamental context confusion pattern within the calendar and team planner modules. The issue stems from an inconsistent authorization model where the system initially validates access based on the project identifier provided in the URL path parameter :project_id, yet subsequently retrieves and operates on query objects using a different identifier :id from a method that does not enforce project boundaries. This creates a scenario where users with management permissions in one project can manipulate resources belonging to different projects through a simple parameter manipulation attack vector.
The technical implementation of this vulnerability manifests through the Query.visible(current_user) method which loads queries based on user visibility rather than explicit project ownership validation. When a request is made to delete a calendar or team planner query, the system authenticates against the project specified in :project_id but then executes the deletion operation against a query identified by :id without cross-verifying that the loaded query actually belongs to the authenticated project. This authorization bypass allows attackers to leverage their permissions in one project context to perform destructive operations against shared resources in unrelated projects.
The operational impact of this vulnerability extends beyond simple data integrity concerns to encompass availability disruption for legitimate users who rely on shared calendar and team planner views. An attacker with management privileges in Project A can completely remove public queries from Project B, effectively removing access to important planning information for other project members. This creates a cascading effect where project teams lose visibility into shared scheduling information and collaborative planning resources, potentially disrupting workflow coordination and project timelines.
From a cybersecurity perspective, this vulnerability aligns with CWE-639 (Authorization Bypass Through User-Controlled Key) and demonstrates characteristics consistent with ATT&CK technique T1078.004 (Valid Accounts: Cloud Accounts) where legitimate user permissions are abused to perform unauthorized operations. The flaw represents a classic case of insufficient authorization checks in multi-tenant applications where resource boundaries are not properly enforced during object retrieval operations. Organizations using OpenProject versions prior to 17.3.3 and 17.4.1 face significant risk of data integrity compromise and operational disruption through this type of cross-project authorization bypass.
The mitigation strategy requires immediate upgrade to the patched versions 17.3.3 and 17.4.1 which implement proper project boundary validation during query loading operations. Additionally, organizations should conduct comprehensive security audits of their OpenProject installations to identify similar authorization patterns that may exhibit the same context confusion behavior. Implementing explicit project ownership verification in all resource retrieval methods and establishing more robust authorization frameworks that validate resource ownership against authenticated contexts will help prevent similar vulnerabilities from emerging in other modules or future application versions.