CVE-2026-40896
Received Received - Intake
Privilege Escalation in OpenProject via Agenda Injection Vulnerability

Publication date: 2026-04-20

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance β€” even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. Version 17.3.0 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40896
EUVD
EUVD-2026-23870
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openproject openproject to 17.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40896 is an authorization bypass vulnerability in OpenProject versions prior to 17.3.0. It allows a user with the `manage_agendas` permission in any project to inject agenda items into meetings of any other project on the same instance, even if they have no access to those projects.

The vulnerability arises because the system looks up meeting sections globally by ID without restricting the lookup to the current meeting or project. Since section IDs are globally unique and sequential, an attacker can enumerate them blindly.

The authorization check only verifies permissions against the attacker's own project, but a callback silently reassigns the agenda item to the victim project's meeting after authorization, allowing cross-project injection.

An attacker can send requests to move agenda items to victim meetings by guessing section IDs, causing their agenda items to appear in meetings they should not have access to.

Impact Analysis

This vulnerability impacts the integrity of meeting data within OpenProject. An attacker with limited privileges can inject arbitrary agenda items, including titles, notes, and links, into meetings of any project on the instance.

Such unauthorized agenda items can be used for phishing, social engineering, or spreading misinformation to project members.

Confidentiality impact is low since the attacker cannot read or view the victim's meeting content, and availability is not affected.

The scope of the impact is instance-wide, meaning any user with `manage_agendas` permission in any project can target all meetings across the OpenProject instance.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the move agenda item endpoint that attempt to move agenda items to section IDs outside the attacker's project scope.

An attacker enumerates valid section IDs by sending POST requests and observing HTTP response codes: HTTP 200 indicates a valid section ID, while HTTP 500 indicates an invalid one.

To detect exploitation attempts, you can look for unusual POST requests to the meeting agenda item move action with section IDs that do not belong to the attacker's project.

Example command using curl to test if a section ID is valid (replace placeholders accordingly):

  • curl -X POST -H "Authorization: Bearer <token>" -d "section_id=<section_id>" https://<openproject-instance>/meeting_agenda_items/<agenda_item_id>/move_to_section

By iterating over sequential section IDs and checking the HTTP response codes, you can detect if the system is vulnerable or if an attacker is attempting to enumerate sections.

Mitigation Strategies

The immediate mitigation step is to upgrade OpenProject to version 17.3.0 or later, where this vulnerability has been patched.

The patch includes scoping the section lookup to the current meeting only, adding validation to ensure the meeting section belongs to the same meeting as the agenda item, and modifying the callback that silently reassigns the meeting association.

Until the upgrade can be applied, restrict users with the `manage_agendas` permission to trusted personnel only, as this permission allows exploitation of the vulnerability.

Monitor logs for suspicious POST requests attempting to move agenda items to sections outside the user's project scope.

Compliance Impact

This vulnerability allows an attacker with limited privileges to inject arbitrary agenda items into meetings of any project on the OpenProject instance, potentially enabling phishing, social engineering, or misinformation attacks.

While the attacker cannot read or access confidential meeting content, the integrity of meeting data is compromised, which could lead to misinformation or manipulation of project communications.

Such integrity violations could indirectly impact compliance with standards like GDPR or HIPAA, which require maintaining data integrity and protecting against unauthorized data manipulation, especially if meeting agendas contain sensitive or regulated information.

However, there is no direct indication from the provided information that confidentiality or availability of personal or protected health information is breached.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40896. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart