CVE-2026-30239 | THREATINT

Description

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action was executed. This allowed all users in the application to delete work package budget assignments. This vulnerability is fixed in 17.2.0.

PUBLISHED Reserved 2026-03-04 | Published 2026-03-11 | Updated 2026-03-11 | Assigner GitHub_M

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Problem types

CWE-863: Incorrect Authorization

Product status

< 17.2.0

affected

References

github.com/...roject/security/advisories/GHSA-gpvh-g967-g4h8

cve.org (CVE-2026-30239)

nvd.nist.gov (CVE-2026-30239)

Download JSON