{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40896", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T16:37:22.766Z", "datePublished": "2026-04-20T15:12:52.279Z", "dateUpdated": "2026-04-20T16:13:10.714Z"}, "containers": {"cna": {"title": "OpenProject has Cross-Project Meeting Agenda Item Injection via Unscoped Section Lookup", "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "lang": "en", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/opf/openproject/security/advisories/GHSA-hh5p-gwf8-h245", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opf/openproject/security/advisories/GHSA-hh5p-gwf8-h245"}, {"name": "https://github.com/opf/openproject/commit/8f693a1f35d0a84bb69af78fb6925f74329ae4fe", "tags": ["x_refsource_MISC"], "url": "https://github.com/opf/openproject/commit/8f693a1f35d0a84bb69af78fb6925f74329ae4fe"}], "affected": [{"vendor": "opf", "product": "openproject", "versions": [{"version": "< 17.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T15:12:52.279Z"}, "descriptions": [{"lang": "en", "value": "OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance \u2014 even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. Version 17.3.0 patches the issue."}], "source": {"advisory": "GHSA-hh5p-gwf8-h245", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/opf/openproject/security/advisories/GHSA-hh5p-gwf8-h245", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T16:13:05.532704Z", "id": "CVE-2026-40896", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:13:10.714Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40896", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T16:13:05.532704Z"}}}], "references": [{"url": "https://github.com/opf/openproject/security/advisories/GHSA-hh5p-gwf8-h245", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:12:58.827Z"}}], "cna": {"title": "OpenProject has Cross-Project Meeting Agenda Item Injection via Unscoped Section Lookup", "source": {"advisory": "GHSA-hh5p-gwf8-h245", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "opf", "product": "openproject", "versions": [{"status": "affected", "version": "< 17.3.0"}]}], "references": [{"url": "https://github.com/opf/openproject/security/advisories/GHSA-hh5p-gwf8-h245", "name": "https://github.com/opf/openproject/security/advisories/GHSA-hh5p-gwf8-h245", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/opf/openproject/commit/8f693a1f35d0a84bb69af78fb6925f74329ae4fe", "name": "https://github.com/opf/openproject/commit/8f693a1f35d0a84bb69af78fb6925f74329ae4fe", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance \u2014 even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. Version 17.3.0 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T15:12:52.279Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40896", "state": "PUBLISHED", "dateUpdated": "2026-04-20T16:13:10.714Z", "dateReserved": "2026-04-15T16:37:22.766Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-20T15:12:52.279Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance \u2014 even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. Version 17.3.0 patches the issue."}], "id": "CVE-2026-40896", "lastModified": "2026-04-20T17:16:36.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-20T16:16:48.567", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/opf/openproject/commit/8f693a1f35d0a84bb69af78fb6925f74329ae4fe"}, {"source": "security-advisories@github.com", "url": "https://github.com/opf/openproject/security/advisories/GHSA-hh5p-gwf8-h245"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/opf/openproject/security/advisories/GHSA-hh5p-gwf8-h245"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}, {"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,17.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openproject", "source": "cna", "vendor": "opf"}, "product": "openproject", "vendor": "opf"}], "analysis": {"en": {"generated_at": "2026-04-20T17:21:28.135346+00:00", "value": {"mitigation_remediation": ["Upgrade OpenProject to version 17.3.0 or later, which contains the patch for the unscoped section lookup flaw.", "Restrict the manage_agendas permission to administrators or trusted users only, removing it from regular project members to prevent cross\u2011project agenda injection.", "If an upgrade cannot be performed immediately, monitor meeting agenda logs for unauthorized items and conduct regular audits of meeting schedules to detect and mitigate tampering."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized users can inject agenda items into meetings of projects they do not own or have access to"}, "threat_synthesis": {"affected_systems": "Versions of OpenProject prior to 17.3.0 are affected. Any instance running a vulnerable version and with users granted the manage_agendas permission for any project can be exploited. The vulnerability does not depend on specific application modules or operating systems; it is purely a feature logic flaw in the OpenProject application code.", "description_and_impact": "The vulnerability in OpenProject allows an attacker who has the manage_agendas permission in any project to inject agenda items into meetings belonging to projects the attacker has no access to. The flaw resides in an unscoped section lookup that permits the attacker to specify arbitrary section identifiers, leading to creation of agenda items in any meeting without needing to discover target project details. This cross\u2011project injection can deface meeting agendas, insert misleading information, or facilitate social engineering attacks. The weakness is related to unauthorized data manipulation (CWE\u2011367, CWE\u2011639).", "risk_and_exploitability": "The CVSS score of 6.5 indicates medium severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that it is not known to be actively exploited yet. An attacker only needs a legitimate user account with manage_agendas permission; no additional knowledge of target meetings or projects is required, so the attack vector is internal and can be executed by a malicious user with standard project\u2011level privileges. The lack of advanced privilege escalation or credential compromise makes the exploitation straightforward for anyone with the required permission."}}}}, "created": "2026-04-20T16:30:06.097897+00:00", "updated": "2026-04-20T17:30:12.651708+00:00", "vendors": ["opf", "opf$PRODUCT$openproject"]}