CVE-2026-23646— OpenProject users can delete other user's session, causing them to be logged out

OpenProject users can delete other user's session, causing them to be logged out

OpenProject is an open-source, web-based project management software. Users of OpenProject versions prior to 16.6.5 and 17.0.1 have the ability to view and end their active sessions via Account Settings → Sessions. When deleting a session, it was not properly checked if the session belongs to the user. As the ID that is used to identify these session objects use incremental integers, users could iterate requests using `DELETE /my/sessions/:id` and thus unauthenticate other users. Users did not have access to any sensitive information (like browser identifier, IP addresses, etc) of other users that are stored in the session. The problem was patched in OpenProject versions 16.6.5 and 17.0.1. No known workarounds are available as this does not require any permissions or other that can temporarily be disabled.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

对错误会话暴露数据元素

OpenProject 安全漏洞

OpenProject是OpenProject开源的一个基于Web的项目管理软件。 OpenProject 16.6.5之前版本和17.0.1之前版本存在安全漏洞，该漏洞源于删除会话时未验证会话所属用户，可能导致未经身份验证的用户终止其他用户的会话。

N/A

N/A