OpenProject Vulnerability in User Membership Validation
CVE-2026-30236

4.3MEDIUM

Key Information:

Vendor: Opf
Status: Openproject
Vendor: CVE Published:; 11 March 2026

What is CVE-2026-30236?

OpenProject, a web-based project management software, exhibited a vulnerability that allowed unauthorized users to access sensitive information regarding project member budgets and labor costs. Specifically, prior to version 17.2.0, the system failed to validate whether a user was indeed a member of a project when they attempted to edit budget-related details. This oversight could lead to unauthorized disclosure of user rate information and allow calculations involving budgets of non-members. The issue was addressed in version 17.2.0, reinforcing the need for strict membership checks in sensitive financial operations.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

openproject < 17.2.0

References

https://github.com/opf/openproject/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2026
Vulnerability Reserved
Mar 4, 2026

JSON

Opf