CVE-2026-40896 in openprojectinformação

Sumário

de MITRE • 20/04/2026

OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. Version 17.3.0 patches the issue.

Once again VulDB remains the best source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsável

GitHub M

Reservar

15/04/2026

Divulgação

20/04/2026

Moderação

aceite

Entrada

VDB-358313

CPE

pronto

CWE

CWE-367 (confirmado)

CVSS

6.5 (CNA)

EPSS

0.00033

KEV

não

Atividades

muito baixo

Sector

Energy, Finance, ...

Fontes

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-40896
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-40896
CVE Details	https://www.cvedetails.com/cve/CVE-2026-40896/

◂ Voltar Visão Geral Próximo ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!