CVE Catalog

CVE-2026-52782

CriticalCVSS 9.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile — higher than 17% of all known CVEs

Summary

In OpenProject prior to versions 17.3.3 and 17.4.1, an IDOR vulnerability exists in the endpoint /projects/<A>/settings/project_storages/<A_ps_id> via the PATCH parameter "storages_project_storage[project_folder_id]". A project administrator can hijack the managed Nextcloud or OneDrive folder of another project on the same storage, leading to unauthorized resource access.

Risk Assessment

The risk involves a project administrator being able to hijack another project's folder, potentially leading to data leakage or unauthorized access to files stored in external systems (Nextcloud/OneDrive).

Recommendation

Update OpenProject immediately to version 17.3.3 or 17.4.1, which contain the fix for this vulnerability.

Original NVD description (English source)

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources. A project-admin in one project can hijack the managed Nextcloud or OneDrive folder of another project on the same storage by writing the victim project's project_folder_id into the attacker's Storages::ProjectStorage row. The next managed-folder sync overwrites the ACL on the referenced folder with the attacker project's user list. This vulnerability is fixed in 17.3.3 and 17.4.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS