CVE-2026-40896 | THREATINT

Description

OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. Version 17.3.0 patches the issue.

PUBLISHED Reserved 2026-04-15 | Published 2026-04-20 | Updated 2026-04-20 | Assigner GitHub_M

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Problem types

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-639: Authorization Bypass Through User-Controlled Key

Product status

< 17.3.0

affected

References

github.com/...roject/security/advisories/GHSA-hh5p-gwf8-h245 exploit

github.com/...roject/security/advisories/GHSA-hh5p-gwf8-h245

github.com/...ommit/8f693a1f35d0a84bb69af78fb6925f74329ae4fe

cve.org (CVE-2026-40896)

nvd.nist.gov (CVE-2026-40896)

Download JSON