CVE-2026-40896
Privilege Escalation in OpenProject via Agenda Injection Vulnerability
Publication date: 2026-04-20
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openproject | openproject | to 17.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40896 is an authorization bypass vulnerability in OpenProject versions prior to 17.3.0. It allows a user with the `manage_agendas` permission in any project to inject agenda items into meetings of any other project on the same instance, even if they have no access to those projects.
The vulnerability arises because the system looks up meeting sections globally by ID without restricting the lookup to the current meeting or project. Since section IDs are globally unique and sequential, an attacker can enumerate them blindly.
The authorization check only verifies permissions against the attacker's own project, but a callback silently reassigns the agenda item to the victim project's meeting after authorization, allowing cross-project injection.
An attacker can send requests to move agenda items to victim meetings by guessing section IDs, causing their agenda items to appear in meetings they should not have access to.
How can this vulnerability impact me? :
This vulnerability impacts the integrity of meeting data within OpenProject. An attacker with limited privileges can inject arbitrary agenda items, including titles, notes, and links, into meetings of any project on the instance.
Such unauthorized agenda items can be used for phishing, social engineering, or spreading misinformation to project members.
Confidentiality impact is low since the attacker cannot read or view the victim's meeting content, and availability is not affected.
The scope of the impact is instance-wide, meaning any user with `manage_agendas` permission in any project can target all meetings across the OpenProject instance.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized POST requests to the move agenda item endpoint that attempt to move agenda items to section IDs outside the attacker's project scope.
An attacker enumerates valid section IDs by sending POST requests and observing HTTP response codes: HTTP 200 indicates a valid section ID, while HTTP 500 indicates an invalid one.
To detect exploitation attempts, you can look for unusual POST requests to the meeting agenda item move action with section IDs that do not belong to the attacker's project.
Example command using curl to test if a section ID is valid (replace placeholders accordingly):
- curl -X POST -H "Authorization: Bearer <token>" -d "section_id=<section_id>" https://<openproject-instance>/meeting_agenda_items/<agenda_item_id>/move_to_section
By iterating over sequential section IDs and checking the HTTP response codes, you can detect if the system is vulnerable or if an attacker is attempting to enumerate sections.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenProject to version 17.3.0 or later, where this vulnerability has been patched.
The patch includes scoping the section lookup to the current meeting only, adding validation to ensure the meeting section belongs to the same meeting as the agenda item, and modifying the callback that silently reassigns the meeting association.
Until the upgrade can be applied, restrict users with the `manage_agendas` permission to trusted personnel only, as this permission allows exploitation of the vulnerability.
Monitor logs for suspicious POST requests attempting to move agenda items to sections outside the user's project scope.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker with limited privileges to inject arbitrary agenda items into meetings of any project on the OpenProject instance, potentially enabling phishing, social engineering, or misinformation attacks.
While the attacker cannot read or access confidential meeting content, the integrity of meeting data is compromised, which could lead to misinformation or manipulation of project communications.
Such integrity violations could indirectly impact compliance with standards like GDPR or HIPAA, which require maintaining data integrity and protecting against unauthorized data manipulation, especially if meeting agendas contain sensitive or regulated information.
However, there is no direct indication from the provided information that confidentiality or availability of personal or protected health information is breached.