CVE-2026-23646
Unknown Unknown - Not Provided
Insecure Direct Object Reference in OpenProject Session Management

Publication date: 2026-01-19

Last updated on: 2026-02-02

Assigner: GitHub, Inc.

Description
OpenProject is an open-source, web-based project management software. Users of OpenProject versions prior to 16.6.5 and 17.0.1 have the ability to view and end their active sessions via Account Settings β†’ Sessions. When deleting a session, it was not properly checked if the session belongs to the user. As the ID that is used to identify these session objects use incremental integers, users could iterate requests using `DELETE /my/sessions/:id` and thus unauthenticate other users. Users did not have access to any sensitive information (like browser identifier, IP addresses, etc) of other users that are stored in the session. The problem was patched in OpenProject versions 16.6.5 and 17.0.1. No known workarounds are available as this does not require any permissions or other that can temporarily be disabled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-02-02
Generated
2026-05-07
AI Q&A
2026-01-19
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23646
EUVD
EUVD-2026-3308
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
opf openproject to 17.0.0 (exc)
openproject openproject to 16.6.5 (inc)
openproject openproject 17.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-488 The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in OpenProject allows users to delete active sessions of other users because the system does not properly verify if a session belongs to the user attempting to delete it. Since session IDs are incremental integers, an attacker can iterate through session IDs using the DELETE /my/sessions/:id endpoint to unauthenticate other users without authorization. No sensitive information is exposed, but other users can be forcibly logged out. [2]


How can this vulnerability impact me? :

The vulnerability can impact you by allowing an attacker to forcibly log out other users by deleting their active sessions. This affects the availability of your sessions and disrupts user access, although it does not expose sensitive information or compromise confidentiality or integrity. [2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves unauthorized deletion of active user sessions via the DELETE /my/sessions/:id endpoint by iterating incremental session IDs. Detection could involve monitoring HTTP DELETE requests to /my/sessions/ endpoints and checking for unusual patterns such as multiple DELETE requests with sequential session IDs from the same user or IP address. Network or application logs could be analyzed for such behavior. Specific commands depend on your logging and monitoring setup, but for example, using grep on server logs: grep 'DELETE /my/sessions/' /path/to/access.log to identify suspicious session deletion attempts. [2]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to update OpenProject to version 16.6.5 or 17.0.1 or later, where the vulnerability has been patched. No temporary workarounds or permission changes are available to mitigate this issue. Promptly applying the update will prevent unauthorized session deletions. [2]


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart