CVE-2026-44734
Deferred Deferred - Pending Action
Missing Authorization in OpenProject Cost Reports

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, a Missing Authorization vulnerability exists in OpenProject's CostReportsController. The rename and update actions allow any authenticated user to modify the name, filters, and grouping of any Public cost report in the system without verifying ownership or permission level. An attacker who discovers or guesses a public report's numeric ID can rename or overwrite its filter configuration without any warning to the report's owner. This vulnerability is fixed in 17.3.2 and 17.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-44734
EUVD
EUVD-2026-39881
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
openproject openproject to 17.3.2 (inc)
openproject openproject to 17.4.0 (inc)
openproject openproject to 17.3.2 (exc)
openproject openproject to 17.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44734 is an Improper Access Control vulnerability in the OpenProject software, specifically in the CostReportsController component. It affects versions prior to 17.3.2 and 17.4.0.

The issue allows any authenticated user to rename or update any public cost report's name, filters, and grouping without verifying if the user owns the report or has the appropriate permission level.

An attacker can exploit this vulnerability by discovering or guessing the numeric ID of a public report and then modifying it without the report owner's knowledge.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenProject to version 17.3.2 or later, or 17.4.0 or later, where the issue has been fixed.

This will ensure that the CostReportsController properly verifies ownership and permission levels before allowing modifications to public cost reports.

Impact Analysis

This vulnerability can impact you by allowing unauthorized authenticated users to modify public cost reports in your OpenProject system.

  • Attackers can rename reports, potentially causing confusion or misrepresentation of data.
  • They can also overwrite filter configurations, which may alter how data is grouped or displayed, leading to incorrect or misleading project cost information.

These unauthorized changes occur without any warning to the report owner, which can undermine trust and data integrity within your project management environment.

Compliance Impact

The vulnerability allows any authenticated user to modify public cost reports without verifying ownership or permission level, potentially leading to unauthorized changes in data presentation or filtering.

However, there is no direct information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44734. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart