CVE-2026-23646

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-23646
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23646.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-23646
Aliases
  • GHSA-w422-xf8f-v4vp
Published
2026-01-19T17:48:03.082Z
Modified
2026-03-01T02:56:55.017779Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
OpenProject users can delete other user's session, causing them to be logged out
Details

OpenProject is an open-source, web-based project management software. Users of OpenProject versions prior to 16.6.5 and 17.0.1 have the ability to view and end their active sessions via Account Settings → Sessions. When deleting a session, it was not properly checked if the session belongs to the user. As the ID that is used to identify these session objects use incremental integers, users could iterate requests using DELETE /my/sessions/:id and thus unauthenticate other users. Users did not have access to any sensitive information (like browser identifier, IP addresses, etc) of other users that are stored in the session. The problem was patched in OpenProject versions 16.6.5 and 17.0.1. No known workarounds are available as this does not require any permissions or other that can temporarily be disabled.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23646.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-488"
    ]
}
References

Affected packages

Git / github.com/opf/openproject

Affected ranges

Type
GIT
Repo
https://github.com/opf/openproject
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
99112f321595e2fa5bd54727ceb2a20a07157af3

Affected versions

11.*
11.2.1
2.*
2.4.0
release/3.*
release/3.0.0
Other
sprint/2014_08
sprint/2014_09
sprint/2014_10
sprint/2014_11
sprint/2014_12
sprint/2014_13
sprint/2014_16
sprint/2014_18
sprint/2015_01
sprint/2015_02
sprint/2015_03
sprint/2015_04
v10.*
v10.5
v11.*
v11.0.0
v11.0.1
v11.0.2
v11.0.3
v11.0.4
v11.1.0
v11.1.1
v11.1.2
v11.1.3
v11.1.4
v11.2.0
v11.2.1
v11.2.2
v11.2.3
v11.2.4
v16.*
v16.0.0
v16.0.1
v16.1.0
v16.1.1
v16.2.0
v16.2.1
v16.2.2
v16.3.0
v16.3.1
v16.3.2
v16.4.0
v16.4.1
v16.5.0
v16.5.1
v16.6.0
v16.6.1
v16.6.2
v16.6.3
v16.6.4
v3.*
v3.0.0
v3.0.1
v3.0.11
v3.0.12
v3.0.13
v3.0.8
v4.*
v4.0.0
v4.0.1
v4.0.10
v4.0.11
v4.0.12
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.1.0
v4.1.0-beta
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v4.2.7
v4.2.8
v4.2.9
v5.*
v5.0.0
v5.0.1
v5.0.10
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.0.8
v5.0.9
v9.*
v9.0.0-pre
v9.0.2-pre

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23646.json"