CVE-2026-24776

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-24776

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24776.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-24776

Aliases

GHSA-p9v8-w9ph-hqmf

Published

2026-02-06T17:56:11.712Z

Modified

2026-02-25T00:36:39.201912Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

OpenProject has an IDOR on MeetingAgendaItems allows cross-project meeting agenda item transfer

Details

OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting (or is the backlog, in case of recurring meetings). This allowed an attacker to move a meeting agenda item into a different meeting. The attacker did not get access to meetings, but they could add arbitrary agenda items, that could cause confusions. The vulnerability is fixed in 17.0.2.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-639"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24776.json"
}

References

Affected packages

Git / github.com/opf/openproject

Affected ranges

Type: GIT
Repo: https://github.com/opf/openproject
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

87a8cdc7632de8ab06475ba373fd354e0be30e2a

Affected versions

11.*

11.2.1

2.*

2.4.0

release/3.*

release/3.0.0

Other

sprint/2014_08

sprint/2014_09

sprint/2014_10

sprint/2014_11

sprint/2014_12

sprint/2014_13

sprint/2014_16

sprint/2014_18

sprint/2015_01

sprint/2015_02

sprint/2015_03

sprint/2015_04

v10.*

v10.5

v11.*

v11.0.0

v11.0.1

v11.0.2

v11.0.3

v11.0.4

v11.1.0

v11.1.1

v11.1.2

v11.1.3

v11.1.4

v11.2.0

v11.2.1

v11.2.2

v11.2.3

v11.2.4

v17.*

v17.0.0

v17.0.1

v3.*

v3.0.0

v3.0.1

v3.0.11

v3.0.12

v3.0.13

v3.0.8

v4.*

v4.0.0

v4.0.1

v4.0.10

v4.0.11

v4.0.12

v4.0.2

v4.0.3

v4.0.4

v4.0.5

v4.0.6

v4.0.7

v4.0.8

v4.0.9

v4.1.0

v4.1.0-beta

v4.1.1

v4.1.2

v4.1.3

v4.1.4

v4.2.0

v4.2.1

v4.2.2

v4.2.3

v4.2.4

v4.2.5

v4.2.6

v4.2.7

v4.2.8

v4.2.9

v5.*

v5.0.0

v5.0.1

v5.0.10

v5.0.2

v5.0.3

v5.0.4

v5.0.5

v5.0.6

v5.0.7

v5.0.8

v5.0.9

v9.*

v9.0.0-pre

v9.0.2-pre

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24776.json"