CVE Catalog

CVE-2026-52784

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

6th percentile — higher than 6% of all known CVEs

Summary

In OpenProject before versions 17.3.3 and 17.4.1, there is a CSRF vulnerability on the /users/:id path via the POST parameter user[admin]. An attacker can exploit this to unauthorizedly change admin privileges.

Risk Assessment

The risk involves potential admin account takeover via CSRF, leading to full system and project data compromise.

Recommendation

Update OpenProject immediately to version 17.3.3 or 17.4.1, where this vulnerability is fixed.

Original NVD description (English source)

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is a CSRF on TARGET through /users/:id via POST parameter "user[admin]". This vulnerability is fixed in 17.3.3 and 17.4.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS