CVE-2026-24777

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-24777

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24777.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-24777

Aliases

GHSA-fq66-cwg6-qq69

Published

2026-02-09T18:28:45.146Z

Modified

2026-02-13T00:39:04.965494Z

Severity

6.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H CVSS Calculator

Summary

OpenProject has Improper Access Control on User Management allows user managers to lock admin accounts

Details

OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for users of the application, but they were not supposed to be able to lock application administrators. Due to a missing permission check this logic was not enforced. The problem was fixed in OpenProject 17.0.2The problem was fixed in OpenProject 17.0.2.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24777.json"
}

References

Affected packages

Git / github.com/opf/openproject

Affected ranges

Type: GIT
Repo: https://github.com/opf/openproject
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

87a8cdc7632de8ab06475ba373fd354e0be30e2a

Affected versions

11.*

11.2.1

2.*

2.4.0

release/3.*

release/3.0.0

Other

sprint/2014_08

sprint/2014_09

sprint/2014_10

sprint/2014_11

sprint/2014_12

sprint/2014_13

sprint/2014_16

sprint/2014_18

sprint/2015_01

sprint/2015_02

sprint/2015_03

sprint/2015_04

v10.*

v10.5

v11.*

v11.0.0

v11.0.1

v11.0.2

v11.0.3

v11.0.4

v11.1.0

v11.1.1

v11.1.2

v11.1.3

v11.1.4

v11.2.0

v11.2.1

v11.2.2

v11.2.3

v11.2.4

v17.*

v17.0.0

v17.0.1

v3.*

v3.0.0

v3.0.1

v3.0.11

v3.0.12

v3.0.13

v3.0.8

v4.*

v4.0.0

v4.0.1

v4.0.10

v4.0.11

v4.0.12

v4.0.2

v4.0.3

v4.0.4

v4.0.5

v4.0.6

v4.0.7

v4.0.8

v4.0.9

v4.1.0

v4.1.0-beta

v4.1.1

v4.1.2

v4.1.3

v4.1.4

v4.2.0

v4.2.1

v4.2.2

v4.2.3

v4.2.4

v4.2.5

v4.2.6

v4.2.7

v4.2.8

v4.2.9

v5.*

v5.0.0

v5.0.1

v5.0.10

v5.0.2

v5.0.3

v5.0.4

v5.0.5

v5.0.6

v5.0.7

v5.0.8

v5.0.9

v9.*

v9.0.0-pre

v9.0.2-pre

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24777.json"