CVE-2026-24777
Analyzed Analyzed - Analysis Complete
Improper Access Control in OpenProject Allows Admin Account Locking

Publication date: 2026-02-09

Last updated on: 2026-02-11

Assigner: GitHub, Inc.

Description
OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for users of the application, but they were not supposed to be able to lock application administrators. Due to a missing permission check this logic was not enforced. The problem was fixed in OpenProject 17.0.2The problem was fixed in OpenProject 17.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-09
Last Modified
2026-02-11
Generated
2026-06-16
AI Q&A
2026-02-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24777
EUVD
EUVD-2026-6453
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openproject openproject to 17.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenProject, an open-source web-based project management software. Before version 17.0.2, users who had the Manage Users permission could lock and unlock other users. However, due to a missing permission check, these users were able to lock application administrators, which they were not supposed to be able to do.

The issue was that the system did not properly enforce restrictions preventing non-administrator users from locking administrator accounts. This flaw was fixed in OpenProject version 17.0.2.

Impact Analysis

This vulnerability can impact you by allowing users with Manage Users permission to lock administrator accounts, potentially disrupting administrative control over the application.

Locking administrator accounts could prevent administrators from accessing the system, managing users, or performing critical administrative tasks, which could lead to denial of service or loss of control over the project management environment.

The CVSS score of 6.7 indicates a medium to high severity, reflecting the potential impact on confidentiality, integrity, and availability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenProject to version 17.0.2 or later, where the missing permission check allowing users with Manage Users permission to lock application administrators has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24777. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart