CVE-2026-24776
Unknown Unknown - Not Provided
Improper Access Control in OpenProject Agenda Drag-and-Drop

Publication date: 2026-02-06

Last updated on: 2026-02-23

Assigner: GitHub, Inc.

Description
OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting (or is the backlog, in case of recurring meetings). This allowed an attacker to move a meeting agenda item into a different meeting. The attacker did not get access to meetings, but they could add arbitrary agenda items, that could cause confusions. The vulnerability is fixed in 17.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24776
EUVD
EUVD-2026-5638
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openproject openproject to 17.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-24776 is a moderate severity Insecure Direct Object Reference (IDOR) vulnerability in OpenProject versions prior to 17.0.2, specifically affecting the MeetingAgendaItems feature.'}, {'type': 'paragraph', 'content': 'The issue occurs because the drag-and-drop handler that moves agenda items between meeting sections does not properly verify whether the target section belongs to the same meeting or, in recurring meetings, the backlog.'}, {'type': 'paragraph', 'content': 'This flaw allows an attacker with the "Manage Agenda Items" permission to move an agenda item into a different meeting, effectively transferring agenda items across projects without authorization.'}, {'type': 'paragraph', 'content': 'Although the attacker does not gain access to the meetings themselves, they can add arbitrary agenda items to other meetings, which could cause confusion or disruption.'}, {'type': 'paragraph', 'content': 'The vulnerability requires low privileges, no user interaction, and can be exploited over the network.'}] [1]

Impact Analysis

This vulnerability impacts data integrity by allowing unauthorized modification of meeting agenda items.

An attacker can insert arbitrary agenda items into meetings they should not have access to, potentially causing confusion or disruption in project management.

However, the vulnerability does not grant the attacker access to the meetings themselves, nor does it affect confidentiality or availability.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized movement of meeting agenda items across different meetings by exploiting improper checks in the drag-and-drop handler. Detection would involve monitoring for unexpected or unauthorized changes to meeting agenda items, especially agenda items appearing in meetings where they do not belong.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires the "Manage Agenda Items" permission and is triggered via the web interface, detection can focus on auditing user actions related to agenda item modifications and reviewing logs for suspicious drag-and-drop operations moving agenda items between meetings.'}, {'type': 'paragraph', 'content': 'There are no specific commands provided in the resources to detect this vulnerability directly on the network or system.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation step is to upgrade OpenProject to version 17.0.2 or later, which includes a patch that properly enforces meeting section ownership checks to prevent unauthorized movement of agenda items across meetings.'}, {'type': 'paragraph', 'content': 'If immediate upgrade is not possible, administrators should restrict the "Manage Agenda Items" permission to only trusted users to reduce the risk of exploitation.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24776. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart