FKIE_CVE-2026-23646

Vulnerability from fkie_nvd - Published: 2026-01-19 18:16 - Updated: 2026-02-02 20:46
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
OpenProject is an open-source, web-based project management software. Users of OpenProject versions prior to 16.6.5 and 17.0.1 have the ability to view and end their active sessions via Account Settings → Sessions. When deleting a session, it was not properly checked if the session belongs to the user. As the ID that is used to identify these session objects use incremental integers, users could iterate requests using `DELETE /my/sessions/:id` and thus unauthenticate other users. Users did not have access to any sensitive information (like browser identifier, IP addresses, etc) of other users that are stored in the session. The problem was patched in OpenProject versions 16.6.5 and 17.0.1. No known workarounds are available as this does not require any permissions or other that can temporarily be disabled.
References
security-advisories@github.comhttps://github.com/opf/openproject/releases/tag/v16.6.5Release Notes
security-advisories@github.comhttps://github.com/opf/openproject/releases/tag/v17.0.1Release Notes
security-advisories@github.comhttps://github.com/opf/openproject/security/advisories/GHSA-w422-xf8f-v4vpVendor Advisory
Impacted products
Vendor Product Version
openproject openproject *
openproject openproject 17.0.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4C6FE059-AB36-4883-AE55-2E65FDE51BD2",
              "versionEndExcluding": "16.6.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:openproject:openproject:17.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "78FA3834-A1AB-4489-AE2A-2C7FAE9B619F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OpenProject is an open-source, web-based project management software. Users of OpenProject versions prior to 16.6.5 and 17.0.1 have the ability to view and end their active sessions via Account Settings \u2192 Sessions. When deleting a session, it was not properly checked if the session belongs to the user. As the ID that is used to identify these session objects use incremental integers, users could iterate requests using `DELETE /my/sessions/:id` and thus unauthenticate other users. Users did not have access to any sensitive information (like browser identifier, IP addresses, etc) of other users that are stored in the session. The problem was patched in OpenProject versions 16.6.5 and 17.0.1. No known workarounds are available as this does not require any permissions or other that can temporarily be disabled."
    },
    {
      "lang": "es",
      "value": "OpenProject es un software de gesti\u00f3n de proyectos de c\u00f3digo abierto y basado en la web. Los usuarios de versiones de OpenProject anteriores a la 16.6.5 y 17.0.1 tienen la capacidad de ver y finalizar sus sesiones activas a trav\u00e9s de Configuraci\u00f3n de la cuenta ? Sesiones. Al eliminar una sesi\u00f3n, no se verificaba correctamente si la sesi\u00f3n pertenec\u00eda al usuario. Dado que el ID que se utiliza para identificar estos objetos de sesi\u00f3n usa enteros incrementales, los usuarios pod\u00edan iterar solicitudes usando \u0027DELETE /my/sessions/:id\u0027 y as\u00ed desautenticar a otros usuarios. Los usuarios no ten\u00edan acceso a ninguna informaci\u00f3n sensible (como identificador de navegador, direcciones IP, etc.) de otros usuarios que se almacena en la sesi\u00f3n. El problema fue parcheado en las versiones de OpenProject 16.6.5 y 17.0.1. No hay soluciones alternativas conocidas disponibles ya que esto no requiere ning\u00fan permiso u otro que pueda deshabilitarse temporalmente."
    }
  ],
  "id": "CVE-2026-23646",
  "lastModified": "2026-02-02T20:46:13.157",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-19T18:16:05.587",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/opf/openproject/releases/tag/v16.6.5"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/opf/openproject/releases/tag/v17.0.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/opf/openproject/security/advisories/GHSA-w422-xf8f-v4vp"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-488"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.