CVE Catalog
CVE-2026-52784
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk0.16%
6th percentile — higher than 6% of all known CVEs
Summary
In OpenProject before versions 17.3.3 and 17.4.1, there is a CSRF vulnerability on the /users/:id path via the POST parameter user[admin]. An attacker can exploit this to unauthorizedly change admin privileges.
Risk Assessment
The risk involves potential admin account takeover via CSRF, leading to full system and project data compromise.
Recommendation
Update OpenProject immediately to version 17.3.3 or 17.4.1, where this vulnerability is fixed.
Original NVD description (English source)
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a CSRF on TARGET through /users/:id via POST parameter "user[admin]". This vulnerability is fixed in 17.3.3 and 17.4.1.

