Deletion Permits Unauthorized Budget Migration in OpenProject
CVE-2026-30239

6.5MEDIUM

Key Information:

Vendor: Opf
Status: Openproject
Vendor: CVE Published:; 11 March 2026

What is CVE-2026-30239?

In OpenProject, an open-source project management tool, a flaw exists in the handling of budget deletions prior to version 17.2.0. Specifically, when budgets are deleted, the related work packages must be reassigned to a different budget. However, this reassignment process occurs without validating the user's permissions to perform such an action. As a result, any user within the application could potentially delete budget assignments from work packages, bypassing crucial authorization checks and compromising the integrity of project financial management.

Affected Version(s)

openproject < 17.2.0

References

https://github.com/opf/openproject/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-30239 Data

JSON

Opf

What is CVE-2026-30239?

Affected Version(s)

References

CVSS V3.1

Timeline