CVE-2026-24776

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-24776

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24776.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-24776

Aliases

GHSA-p9v8-w9ph-hqmf

Published

2026-02-06T17:56:11.712Z

Modified

2026-04-10T05:39:32.249331Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

OpenProject has an IDOR on MeetingAgendaItems allows cross-project meeting agenda item transfer

Details

OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting (or is the backlog, in case of recurring meetings). This allowed an attacker to move a meeting agenda item into a different meeting. The attacker did not get access to meetings, but they could add arbitrary agenda items, that could cause confusions. The vulnerability is fixed in 17.0.2.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24776.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-639"
    ]
}

References

Affected packages

Git / github.com/opf/openproject

Affected ranges

Type: GIT
Repo: https://github.com/opf/openproject
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

87a8cdc7632de8ab06475ba373fd354e0be30e2a

Affected versions

v17.*

v17.0.0

v17.0.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24776.json"