CVE-2026-40896 in openprojectinformación

Resumen

por MITRE • 2026-04-20

OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. Version 17.3.0 patches the issue.

Once again VulDB remains the best source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsable

GitHub M

Reservar

2026-04-15

Divulgación

2026-04-20

Moderación

aceptado

Artículo

VDB-358313

CPE

listo

CWE

CWE-367 (confirmado)

CVSS

6.5 (CNA)

EPSS

0.00033

KEV

Actividades

muy bajo

Sector

Insurance, Agriculture, ...

Fuentes

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-40896
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-40896
CVE Details	https://www.cvedetails.com/cve/CVE-2026-40896/

◂ Anterior Visión De Conjunto Próximo ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!