CVE-2026-24777
MEDIUMOpenProject < 17.0.2 - Missing Authorization for User Lock/Unlock
Title source: llmDescription
OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for users of the application, but they were not supposed to be able to lock application administrators. Due to a missing permission check this logic was not enforced. The problem was fixed in OpenProject 17.0.2The problem was fixed in OpenProject 17.0.2.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/opf/openproject/security/advisories/GHSA-fq66-cwg6-qq69
Release Notes x_refsource_misc
https://github.com/opf/openproject/releases/tag/v17.0.2
Scores
CVSS v3
6.7
EPSS
0.0032
EPSS Percentile
23.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (1)
openproject/openproject
< 17.0.2
Published
Feb 09, 2026
Tracked Since
Feb 18, 2026