CVE-2026-30236

MEDIUM

OpenProject <17.2.0 - Info Disclosure

Title source: llm

Description

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when editing a project budget and planning the labor cost, it was not checked that the user that was planned in the budget is actually a project member. This exposed the user's default rate (if one was set up) to users that should only see that information for project members. Also, the endpoint that handles the pre-calculation for the frontend to display a preview of the costs, while it was being entered, did not properly validate the membership of the user as well. This also allowed to calculate costs with the default rate of non-members. This vulnerability is fixed in 17.2.0.

References (1)

[Vendor Advisory] https://github.com/opf/openproject/security/advisories/GHSA-p747-569x-3v3f

Scores

CVSS v3 4.3

EPSS 0.0003

EPSS Percentile 9.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (1)

openproject/openproject < 17.2.0

Published Mar 11, 2026

Tracked Since Mar 12, 2026