Authorization Confusion in OpenProject Calendar and Team Planner
CVE-2026-52779

5.4MEDIUM

Key Information:

Vendor: Opf
Status: Openproject
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-52779?

OpenProject, a widely-used open-source project management software, has a vulnerability that arises from an authorization context confusion in its Calendar and Team Planner modules. Users with management permissions in one project can exploit this issue to delete public Calendar or Team Planner Queries from another project without having the necessary management permissions. This occurs because the application does not properly verify that the queried object belongs to the authorized project, allowing unauthorized modifications. Users relying on shared views could face integrity issues and limited access, undermining the application's reliability for collaborative work. The flaw has been addressed in later versions 17.3.3 and 17.4.1, ensuring more secure project management operations.

Affected Version(s)

openproject < 17.3.3 < 17.3.3

openproject >= 17.4.0, < 17.4.1 < 17.4.0, 17.4.1

References

https://github.com/opf/openproject/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 8, 2026

CVE-2026-52779 Data

JSON

Opf

What is CVE-2026-52779?

Affected Version(s)

References

CVSS V3.1

Timeline