Vulnerability: IDOR on MeetingAgendaItems allows cross-project meeting agenda item transfer Severity: Moderate CVSS v3.1 score: 4.3 Affected Versions: < 17.0.2 Patched Versions: 17.0.2 CVE ID: CVE-2026-24776 Weaknesses: No CWEs Description: The drag&drop handler for moving agenda items to different sections did not correctly validate if the target section belongs to the same meeting. This allowed an attacker to transfer an agenda item to a different meeting, potentially causing confusion. Patches: OpenProject 17.0.2 fixes the issue. Workarounds: Administrators should verify and potentially limit which members have the "Manage Agenda Items" permission. Credits: Reported by user as part of the YesWeHack OpenProject Bug Bounty Program.