← Back to CVEs
CVE-2026-30239
MEDIUM6.5
Description
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action was executed. This allowed all users in the application to delete work package budget assignments. This vulnerability is fixed in 17.2.0.
CVE Details
CVSS v3.1 Score6.5
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
Published3/11/2026
Last Modified3/13/2026
Sourcenvd
Honeypot Sightings0
Affected Products
openproject:openproject
Weaknesses (CWE)
CWE-863
References
https://github.com/opf/openproject/security/advisories/GHSA-gpvh-g967-g4h8(security-advisories@github.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.