CVE-2026-30239— OpenProject has a Permission Check bypass on Budget deletion allows reassignment of WorkPackages into other budgets
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-30239
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OpenProject has a Permission Check bypass on Budget deletion allows reassignment of WorkPackages into other budgets
Source: NVD (National Vulnerability Database)
Vulnerability Description
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action was executed. This allowed all users in the application to delete work package budget assignments. This vulnerability is fixed in 17.2.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不正确
Source: NVD (National Vulnerability Database)
Vulnerability Title
OpenProject 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OpenProject是OpenProject开源的一个基于Web的项目管理软件。 OpenProject 17.2.0之前版本存在安全漏洞,该漏洞源于删除预算时,分配给该预算的工作包在删除操作的权限检查之前被移动,可能导致应用程序中的所有用户删除工作包预算分配。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| opf | openproject | < 17.2.0 | - |
II. Public POCs for CVE-2026-30239
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-30239
请登录查看更多情报信息。
Same Patch Batch · opf · 2026-03-11 · 5 CVEs total
| CVE-2026-30234 | 6.5 MEDIUM | OpenProject BIM BCF XML Import: <Snapshot> Path Traversal Leads to Arbitrary Local File Re |
| CVE-2026-30235 | 6.5 MEDIUM | Business Logic Error on OpenProject through hyperlinks in markdown using DOM clobbering |
| CVE-2026-30236 | 4.3 MEDIUM | OpenProject users that are not project members can be used to calculate Labor Budget, leak |
| CVE-2026-31974 | 3.0 LOW | Blind SSRF on OpenProject instance via webhooks |
IV. Related Vulnerabilities
Same product: openproject
- CVE-2026-40896
OpenProject has Cross-Project Meeting Agenda Item Injection - CVE-2026-33667
OpenProject: 2FA OTP Verification Missing Rate Limiting - CVE-2026-34717
OpenProject: SQL Injection in Cost Reporting =n Operator via - CVE-2026-32703
OpenProject's repository files are served with the MIME type - CVE-2026-32698
OpenProject has a SQL Injection via Custom Field Name that c
Same vendor: opf
- CVE-2026-40896
OpenProject has Cross-Project Meeting Agenda Item Injection - CVE-2026-33667
OpenProject: 2FA OTP Verification Missing Rate Limiting - CVE-2026-34717
OpenProject: SQL Injection in Cost Reporting =n Operator via - CVE-2026-32703
OpenProject's repository files are served with the MIME type - CVE-2026-32698
OpenProject has a SQL Injection via Custom Field Name that c
Same weakness: CWE-863
- CVE-2026-42571
Privilege Escalation Attack affecting Pelican Web UI - CVE-2025-15633
HCL BigFix WebUI is affected by an improper authorization vu - CVE-2026-42296
Argo Workflows has incomplete fix for CVE-2026-31892: hostNe - CVE-2025-66170
Apache CloudStack: Any user can list backups that they shoul - CVE-2026-41903
FreeScout IDOR Vulnerability: PERM_EDIT_USERS allows modifyi
V. Comments for CVE-2026-30239
No comments yet