CVE-2026-30239

MEDIUM

OpenProject <17.2.0 - Privilege Escalation

Title source: llm

Description

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action was executed. This allowed all users in the application to delete work package budget assignments. This vulnerability is fixed in 17.2.0.

References (1)

[Vendor Advisory] https://github.com/opf/openproject/security/advisories/GHSA-gpvh-g967-g4h8

Scores

CVSS v3 6.5

EPSS 0.0004

EPSS Percentile 10.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (1)

openproject/openproject < 17.2.0

Published Mar 11, 2026

Tracked Since Mar 12, 2026