CVE-2026-44732
Deferred Deferred - Pending Action
Document Modification in OpenProject Allows Unauthorized Project Changes

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, OpenProject exposes a document update endpoint used to modify existing documents. The target document is loaded with visibility checks and then updated. During update, attacker-controlled attributes are applied to the persisted record before authorization is enforced. As a result, a user without :manage_documents in the source project can move and modify foreign project documents by setting project_id in a single PATCH request. This vulnerability is fixed in 17.3.2 and 17.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-44732
EUVD
EUVD-2026-39882
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
openproject openproject to 17.4.0 (exc)
openproject openproject to 17.3.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44732 is an Insecure Direct Object Reference (IDOR) vulnerability in OpenProject versions prior to 17.3.2 and 17.4.0. It affects the document update endpoint `/api/v3/documents/{id}` where an attacker can send a PATCH request to modify documents.

The issue arises because the target document is loaded with visibility checks, but attacker-controlled attributes like `project_id` are applied before authorization is enforced. This allows a user without the :manage_documents permission in the source project to move or modify documents belonging to other projects by manipulating the `project_id` parameter.

This vulnerability was fixed in OpenProject versions 17.3.2 and 17.4.0.

Impact Analysis

This vulnerability allows an attacker with low privileges and no user interaction to move or modify documents in projects they do not have permission to manage.

As a result, unauthorized users can alter or relocate sensitive project documents, potentially leading to data integrity issues and unauthorized data manipulation within the OpenProject environment.

The impact is limited to integrity since confidentiality and availability are not affected, and the vulnerability has a moderate severity with a CVSS score of 4.3.

Detection Guidance

This vulnerability can be detected by monitoring or testing the `/api/v3/documents/{id}` endpoint for unauthorized PATCH requests that attempt to modify the `project_id` attribute of documents.

A practical approach is to perform authorized and unauthorized PATCH requests to this endpoint and observe if documents from other projects can be modified without proper permissions.

For example, using curl to test the vulnerability might look like this:

  • curl -X PATCH -H "Content-Type: application/json" -d '{"project_id": "<foreign_project_id>"}' https://<openproject_url>/api/v3/documents/<document_id>

If the request succeeds in modifying documents outside the user's authorized projects, the system is vulnerable.

Mitigation Strategies

The immediate mitigation step is to upgrade OpenProject to version 17.3.2 or 17.4.0, where this vulnerability has been fixed.

Until the upgrade can be performed, restrict access to the `/api/v3/documents/{id}` PATCH endpoint to trusted users only, and monitor for suspicious PATCH requests attempting to modify the `project_id` attribute.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44732. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart