CVE-2026-40896 MEDIUM

CVE-2026-40896: OpenProject has Cross-Project Meeting Agenda Item Injection via Unscoped Section Lookup

Vendor Opf
Product openproject
Weakness CWE-367
Published April 20, 2026
Last update April 20, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. Version 17.3.0 patches the issue.

Key dates

02Disclosure timeline

April 20, 2026 CVE published
April 20, 2026 Record updated