CVE-2026-52782
Deferred Deferred - Pending Action
Insecure Direct Object Reference in OpenProject via PATCH Parameter

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources. A project-admin in one project can hijack the managed Nextcloud or OneDrive folder of another project on the same storage by writing the victim project's project_folder_id into the attacker's Storages::ProjectStorage row. The next managed-folder sync overwrites the ACL on the referenced folder with the attacker project's user list. This vulnerability is fixed in 17.3.3 and 17.4.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-27
EPSS Evaluated
N/A
NVD
CVE-2026-52782
EUVD
EUVD-2026-39870
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
openproject openproject to 17.4.1 (exc)
openproject openproject to 17.4.1 (inc)
openproject openproject to 17.3.3|end_excluding=17.4.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an Insecure Direct Object Reference (IDOR) in OpenProject versions prior to 17.3.3 and 17.4.1. A project administrator in one project can exploit this by sending a specially crafted PATCH request to modify the "storages_project_storage[project_folder_id]" parameter. This causes the attacker to hijack the managed Nextcloud or OneDrive folder of another project on the same storage.

During the next synchronization, the Access Control List (ACL) on the victim's folder is overwritten with the attacker project's user list, granting unauthorized access to the victim's folder resources.

Impact Analysis

This vulnerability can have a critical impact by allowing an attacker with project-admin privileges in one project to gain unauthorized access to another project's managed storage folders (Nextcloud or OneDrive).

The attacker can overwrite the Access Control List (ACL) on the victim's folder, potentially exposing sensitive data, modifying or deleting files, and disrupting availability.

The CVSS score of 9.9 indicates a high severity with significant impact on confidentiality, integrity, and availability of data.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious PATCH requests to the endpoint /projects/<A>/settings/project_storages/<A_ps_id> that modify the parameter "storages_project_storage[project_folder_id]".

Specifically, look for requests where a project administrator attempts to change the project_folder_id to one that does not belong to their project, which could indicate an attempt to hijack another project's managed folder.

Network or application logs can be searched for such PATCH requests. For example, using command-line tools like grep on server logs:

  • grep -i 'PATCH /projects/' /var/log/openproject/access.log | grep 'storages_project_storage[project_folder_id]'
  • Use web application firewall (WAF) rules to detect and alert on PATCH requests modifying project_folder_id parameters across projects.
Mitigation Strategies

The immediate mitigation step is to upgrade OpenProject to version 17.3.3 or 17.4.1 or later, where this vulnerability is fixed.

Until the upgrade can be performed, restrict PATCH access to the /projects/<A>/settings/project_storages/<A_ps_id> endpoint to trusted project administrators only and monitor for suspicious activity.

Additionally, review and audit the Access Control Lists (ACLs) on managed Nextcloud or OneDrive folders to ensure no unauthorized changes have been made.

Compliance Impact

This vulnerability allows a project administrator to gain unauthorized access to another project's managed Nextcloud or OneDrive folder by overwriting access control lists. Such unauthorized access can lead to exposure or modification of sensitive data.

Because the vulnerability impacts confidentiality, integrity, and availability of data with a critical severity (CVSS 9.9), it poses a significant risk to compliance with data protection regulations such as GDPR and HIPAA, which require strict controls on unauthorized data access and protection of personal or sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52782. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart