CVE-2026-52779 | OpenProject is open-source, web-based project management sof… | CVSS 5.4 MEDIUM

Description

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public Calendar or Team Planner Queries from another project where they do not have the corresponding management permissions. Both modules authorize the request against the project identified by :project_id in the URL, but the actual Query object is loaded later by :id from Query.visible(current_user) without verifying that the loaded Query belongs to the authorized project. As a result, an attacker can use permissions from Project A to delete shared/public Calendar or Team Planner views from Project B, causing integrity impact and limited availability impact for users relying on those shared views. This vulnerability is fixed in 17.3.3 and 17.4.1.

Metadata

CVE ID: CVE-2026-52779
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-08 17:13 UTC
Published: 2026-06-26 19:02 UTC
Last updated: 2026-06-26 19:02 UTC
Primary CWE: CWE-639
CWE-639: Authorization Bypass Through User-Controlled Key
Vendor / Product: opf / openproject
Sources: cve.org · NVD

Severity & Metrics

5.4 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Affected products (1)

Vendor	Product	Platform	Versions
opf	openproject	—	< 17.3.3, >= 17.4.0, < 17.4.1

Weakness (CWE)

CWE	Source	Description
CWE-639	cna	CWE-639: Authorization Bypass Through User-Controlled Key
CWE-863	cna	CWE-863: Incorrect Authorization

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.4	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

References (1)

https://github.com/opf/openproject/security/advisories/GHSA-jrx5-px3f-vfq4 https://github.com/opf/openproject/security/advisories/GHSA-jrx5-px3f-vfq4