FKIE_CVE-2026-24777

Vulnerability from fkie_nvd - Published: 2026-02-09 19:15 - Updated: 2026-02-11 18:28
Severity ?
6.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
Summary
OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for users of the application, but they were not supposed to be able to lock application administrators. Due to a missing permission check this logic was not enforced. The problem was fixed in OpenProject 17.0.2The problem was fixed in OpenProject 17.0.2.
References
security-advisories@github.comhttps://github.com/opf/openproject/releases/tag/v17.0.2Release Notes
security-advisories@github.comhttps://github.com/opf/openproject/security/advisories/GHSA-fq66-cwg6-qq69Vendor Advisory
Impacted products
Vendor Product Version
openproject openproject *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3FA4C106-EEE3-4582-BE10-010975AE359B",
              "versionEndExcluding": "17.0.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for users of the application, but they were not supposed to be able to lock application administrators. Due to a missing permission check this logic was not enforced. The problem was fixed in OpenProject 17.0.2The problem was fixed in OpenProject 17.0.2."
    },
    {
      "lang": "es",
      "value": "OpenProject es un software de gesti\u00f3n de proyectos de c\u00f3digo abierto y basado en la web. Antes de la versi\u00f3n 17.0.2, los usuarios con el permiso Gestionar Usuarios pod\u00edan bloquear y desbloquear usuarios. Esta funcionalidad solo deber\u00eda ser posible para los usuarios de la aplicaci\u00f3n, pero no se supon\u00eda que pudieran bloquear a los administradores de la aplicaci\u00f3n. Debido a una comprobaci\u00f3n de permisos faltante, esta l\u00f3gica no se aplic\u00f3. El problema se solucion\u00f3 en OpenProject 17.0.2."
    }
  ],
  "id": "CVE-2026-24777",
  "lastModified": "2026-02-11T18:28:40.220",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-09T19:15:50.200",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/opf/openproject/releases/tag/v17.0.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/opf/openproject/security/advisories/GHSA-fq66-cwg6-qq69"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.