CVE-2026-44734

Source
https://cve.org/CVERecord?id=CVE-2026-44734
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44734.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44734
Aliases
  • GHSA-c767-34gh-gh2h
Published
2026-06-26T19:33:08.650Z
Modified
2026-07-15T01:49:07.062279107Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
OpenProject: Improper Access Control on OpenProject through the POST request to /projects/[PROJECT_NAME]/cost_reports/[REPORT_ID]/rename
Details

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, a Missing Authorization vulnerability exists in OpenProject's CostReportsController. The rename and update actions allow any authenticated user to modify the name, filters, and grouping of any Public cost report in the system without verifying ownership or permission level. An attacker who discovers or guesses a public report's numeric ID can rename or overwrite its filter configuration without any warning to the report's owner. This vulnerability is fixed in 17.3.2 and 17.4.0.

Database specific
{
    "cwe_ids": [
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44734.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/opf/openproject

Affected ranges

Type
GIT
Repo
https://github.com/opf/openproject
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "17.3.2"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

11.*
11.2.1
2.*
2.4.0
Other
sprint/2014_08
sprint/2014_09
sprint/2014_10
sprint/2014_11
sprint/2014_12
sprint/2014_13
sprint/2014_16
sprint/2014_18
sprint/2015_01
sprint/2015_02
sprint/2015_03
sprint/2015_04
v10.*
v10.5
v17.*
v17.3.1
v5.*
v5.0.4
v9.*
v9.0.0-pre

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44734.json"