CVE-2026-30239

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-30239

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30239.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-30239

Aliases

GHSA-gpvh-g967-g4h8

Published

2026-03-11T16:27:31.895Z

Modified

2026-04-10T05:41:48.891023Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

OpenProject has a Permission Check bypass on Budget deletion allows reassignment of WorkPackages into other budgets

Details

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action was executed. This allowed all users in the application to delete work package budget assignments. This vulnerability is fixed in 17.2.0.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30239.json",
    "cwe_ids": [
        "CWE-863"
    ]
}

References

Affected packages

Git / github.com/opf/openproject

Affected ranges

Type: GIT
Repo: https://github.com/opf/openproject
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

6e12af7f2d682fff2418d67ff91fbab00c6a3169

Affected versions

v17.*

v17.0.0

v17.0.1

v17.0.2

v17.0.3

v17.0.4

v17.0.5

v17.1.0

v17.1.1

v17.1.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30239.json"