CSRF Vulnerability in OpenProject Software from OpenProject Foundation
CVE-2026-52784

8.8HIGH

Key Information:

Vendor: Opf
Status: Openproject
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-52784?

A Cross-Site Request Forgery (CSRF) vulnerability exists in OpenProject, an open-source project management software. This vulnerability allows an attacker to send unauthorized requests on behalf of an authenticated user via the POST parameter 'user[admin]' through the endpoint /users/:id. It is important for users to update to versions 17.3.3 or 17.4.1 or later to mitigate this issue.

Affected Version(s)

openproject < 17.3.3 < 17.3.3

openproject >= 17.4.0, < 17.4.1 < 17.4.0, 17.4.1

References

https://github.com/opf/openproject/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 8, 2026

CVE-2026-52784 Data

JSON

Opf

What is CVE-2026-52784?

Affected Version(s)

References

CVSS V3.1

Timeline