CVE-2026-44734
Deferred Deferred - Pending Action

Missing Authorization in OpenProject Cost Reports

Vulnerability report for CVE-2026-44734, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-27

Assigner: GitHub, Inc.

Description

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, a Missing Authorization vulnerability exists in OpenProject's CostReportsController. The rename and update actions allow any authenticated user to modify the name, filters, and grouping of any Public cost report in the system without verifying ownership or permission level. An attacker who discovers or guesses a public report's numeric ID can rename or overwrite its filter configuration without any warning to the report's owner. This vulnerability is fixed in 17.3.2 and 17.4.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-27
Generated
2026-07-17
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
openproject openproject to 17.3.2 (inc)
openproject openproject to 17.4.0 (inc)
openproject openproject to 17.3.2 (exc)
openproject openproject to 17.4.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-44734 is an Improper Access Control vulnerability in the OpenProject software, specifically in the CostReportsController component. It affects versions prior to 17.3.2 and 17.4.0.

The issue allows any authenticated user to rename or update any public cost report's name, filters, and grouping without verifying if the user owns the report or has the appropriate permission level.

An attacker can exploit this vulnerability by discovering or guessing the numeric ID of a public report and then modifying it without the report owner's knowledge.

Detection Guidance

This vulnerability involves unauthorized modification of public cost reports by any authenticated user through the rename and update actions in OpenProject's CostReportsController. Detection involves monitoring for unexpected changes to public cost reports, especially changes to their names, filters, or grouping configurations.

Since the vulnerability is exploited by guessing or discovering numeric IDs of public reports, one way to detect potential exploitation is to audit logs for unusual update or rename requests targeting public cost reports by authenticated users who should not have permission.

Specific commands depend on your logging and monitoring setup, but generally you can:

  • Check web server or application logs for HTTP requests to endpoints related to cost report rename or update actions (e.g., URLs containing /cost_reports/rename or /cost_reports/update) with authenticated user sessions.
  • Use grep or similar tools to filter logs for suspicious activity, for example:
  • grep -i 'cost_reports' /var/log/openproject/access.log | grep -E 'rename|update'
  • Review audit logs or database logs for changes to public cost reports' name, filters, or grouping fields by users without appropriate permissions.
  • If you have API access logs, query for PATCH or PUT requests to cost report resources by authenticated users.

In summary, detection focuses on monitoring and analyzing logs for unauthorized modifications to public cost reports by authenticated users.

Impact Analysis

This vulnerability can impact you by allowing unauthorized authenticated users to modify public cost reports in your OpenProject system.

  • Attackers can rename reports, potentially causing confusion or misrepresentation of data.
  • They can also overwrite filter configurations, which may alter how data is grouped or displayed, leading to incorrect or misleading project cost information.

These unauthorized changes occur without any warning to the report owner, which can undermine trust and data integrity within your project management environment.

Compliance Impact

The vulnerability allows any authenticated user to modify public cost reports without verifying ownership or permission level, potentially leading to unauthorized changes in data presentation or filtering.

However, there is no direct information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenProject to version 17.3.2 or later, or 17.4.0 or later, where the issue has been fixed.

This will ensure that the CostReportsController properly verifies ownership and permission levels before allowing modifications to public cost reports.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44734. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart