CVE-2026-24776
Improper Access Control in OpenProject Agenda Drag-and-Drop
Publication date: 2026-02-06
Last updated on: 2026-02-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openproject | openproject | to 17.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-24776 is a moderate severity Insecure Direct Object Reference (IDOR) vulnerability in OpenProject versions prior to 17.0.2, specifically affecting the MeetingAgendaItems feature.'}, {'type': 'paragraph', 'content': 'The issue occurs because the drag-and-drop handler that moves agenda items between meeting sections does not properly verify whether the target section belongs to the same meeting or, in recurring meetings, the backlog.'}, {'type': 'paragraph', 'content': 'This flaw allows an attacker with the "Manage Agenda Items" permission to move an agenda item into a different meeting, effectively transferring agenda items across projects without authorization.'}, {'type': 'paragraph', 'content': 'Although the attacker does not gain access to the meetings themselves, they can add arbitrary agenda items to other meetings, which could cause confusion or disruption.'}, {'type': 'paragraph', 'content': 'The vulnerability requires low privileges, no user interaction, and can be exploited over the network.'}] [1]
How can this vulnerability impact me? :
This vulnerability impacts data integrity by allowing unauthorized modification of meeting agenda items.
An attacker can insert arbitrary agenda items into meetings they should not have access to, potentially causing confusion or disruption in project management.
However, the vulnerability does not grant the attacker access to the meetings themselves, nor does it affect confidentiality or availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized movement of meeting agenda items across different meetings by exploiting improper checks in the drag-and-drop handler. Detection would involve monitoring for unexpected or unauthorized changes to meeting agenda items, especially agenda items appearing in meetings where they do not belong.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires the "Manage Agenda Items" permission and is triggered via the web interface, detection can focus on auditing user actions related to agenda item modifications and reviewing logs for suspicious drag-and-drop operations moving agenda items between meetings.'}, {'type': 'paragraph', 'content': 'There are no specific commands provided in the resources to detect this vulnerability directly on the network or system.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to upgrade OpenProject to version 17.0.2 or later, which includes a patch that properly enforces meeting section ownership checks to prevent unauthorized movement of agenda items across meetings.'}, {'type': 'paragraph', 'content': 'If immediate upgrade is not possible, administrators should restrict the "Manage Agenda Items" permission to only trusted users to reduce the risk of exploitation.'}] [1]