CVE-2026-52779
Deferred Deferred - Pending Action
Cross-Project IDOR in OpenProject Calendar and Team Planner

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public Calendar or Team Planner Queries from another project where they do not have the corresponding management permissions. Both modules authorize the request against the project identified by :project_id in the URL, but the actual Query object is loaded later by :id from Query.visible(current_user) without verifying that the loaded Query belongs to the authorized project. As a result, an attacker can use permissions from Project A to delete shared/public Calendar or Team Planner views from Project B, causing integrity impact and limited availability impact for users relying on those shared views. This vulnerability is fixed in 17.3.3 and 17.4.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-52779
EUVD
EUVD-2026-39873
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
openproject openproject to 17.4.1 (exc)
openproject openproject to 17.4.0 (inc)
openproject openproject 17.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-52779 is a cross-project authorization bypass vulnerability in OpenProject, a web-based project management software. It allows a user who has management permissions in one project to delete public Calendar or Team Planner queries from another project where they do not have such permissions.

The issue arises because the application authorizes the deletion request based on the project ID in the URL, but then loads the actual query object without verifying that it belongs to the authorized project. This inconsistency in authorization logic enables an attacker to misuse their permissions from one project to affect another.

Specifically, the vulnerable endpoints are DELETE /projects/:project_id/calendars/:id and DELETE /projects/:project_id/team_planners/:id. The flaw is fixed in OpenProject version 17.5.0.

Impact Analysis

This vulnerability can impact you by allowing an attacker with management permissions in one project to delete shared or public Calendar or Team Planner views in another project where they lack permissions.

The impact includes integrity loss, as important shared views can be deleted without proper authorization, and limited availability, since users relying on those shared views may lose access to them.

Detection Guidance

This vulnerability can be detected by monitoring and testing the DELETE requests to the vulnerable endpoints in OpenProject. Specifically, the endpoints to check are DELETE /projects/:project_id/calendars/:id and DELETE /projects/:project_id/team_planners/:id.

To detect exploitation attempts or verify the vulnerability, you can attempt to perform DELETE requests on public Calendar or Team Planner queries in projects where the user does not have management permissions but has management permissions in another project.

Example commands using curl to test the vulnerability might look like:

  • curl -X DELETE -H "Authorization: Bearer <token>" https://<openproject-url>/projects/<projectA_id>/calendars/<queryB_id>
  • curl -X DELETE -H "Authorization: Bearer <token>" https://<openproject-url>/projects/<projectA_id>/team_planners/<queryB_id>

If these requests succeed in deleting queries from projects where the user lacks management permissions, the system is vulnerable.

Mitigation Strategies

The immediate mitigation step is to upgrade OpenProject to a fixed version. The vulnerability is fixed in versions 17.3.3, 17.4.1, and later, with the patched version being 17.5.0.

Until the upgrade can be applied, restrict management permissions carefully to trusted users only, as the vulnerability requires management permissions in at least one project.

Additionally, monitor and audit DELETE requests to the affected endpoints to detect any unauthorized deletion attempts.

Compliance Impact

This vulnerability allows an attacker with management permissions in one project to delete public Calendar or Team Planner queries from another project without proper authorization, leading to integrity and limited availability impacts on shared data.

Such unauthorized deletion of shared data could potentially affect compliance with standards and regulations that require data integrity and availability, such as GDPR and HIPAA, since these regulations mandate protecting data from unauthorized alteration or loss.

However, the provided information does not explicitly discuss or analyze the impact of this vulnerability on compliance with any specific standards or regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52779. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart