CVE-2026-24777 Overview
CVE-2026-24777 is a Missing Authorization vulnerability (CWE-862) affecting OpenProject, an open-source, web-based project management software. Prior to version 17.0.2, users with the "Manage Users" permission could lock and unlock user accounts including application administrators, despite this functionality being intended only for non-administrator users. Due to a missing permission check, the authorization logic was not properly enforced, allowing users with elevated but non-administrative privileges to lock out administrator accounts.
Critical Impact
Users with Manage Users permission can lock administrator accounts, potentially causing denial of service to critical administrative functions and enabling privilege escalation scenarios in OpenProject deployments.
Affected Products
- OpenProject versions prior to 17.0.2
- All OpenProject installations with users granted "Manage Users" permission
Discovery Timeline
- 2026-02-09 - CVE-2026-24777 published to NVD
- 2026-02-11 - Last updated in NVD database
Technical Details for CVE-2026-24777
Vulnerability Analysis
This vulnerability stems from a broken access control mechanism in OpenProject's user management functionality. The application implements a permission system where users with the "Manage Users" role can perform account operations such as locking and unlocking user accounts. However, the authorization layer failed to include a critical check that should have prevented these users from performing such operations on administrator accounts.
The impact of this vulnerability is significant because it allows a lower-privileged user (one with Manage Users permission but not full administrator rights) to effectively lock out all administrator accounts from the system. This could result in a denial of administrative access to the application, requiring manual database intervention or system recovery procedures to restore access.
Root Cause
The root cause is a missing permission check (CWE-862: Missing Authorization) in the user lock/unlock functionality. While the application correctly validates that a user has the "Manage Users" permission before allowing account locking operations, it fails to implement an additional check to prevent these operations from being performed on administrator accounts. This represents an incomplete authorization model where role hierarchy constraints were not properly enforced.
Attack Vector
The attack can be executed remotely over the network by an authenticated user who has been granted the "Manage Users" permission. The attacker requires high privileges (the Manage Users role) but not full administrative access. No user interaction is required to exploit this vulnerability.
The attack scenario involves:
- An attacker gains access to an account with "Manage Users" permission
- The attacker navigates to the user management interface
- The attacker identifies administrator accounts in the system
- The attacker locks the administrator accounts through the standard user management interface
- Administrators are now unable to access the system, and the attacker may have an opportunity to escalate their own privileges or cause disruption
This vulnerability does not require any specialized exploit code—it leverages the existing user management functionality in an unintended way due to the missing authorization check.
Detection Methods for CVE-2026-24777
Indicators of Compromise
- Audit logs showing administrator accounts being locked by non-administrator users
- Multiple administrator account lockouts occurring within a short timeframe
- User management actions performed by accounts with only "Manage Users" permission targeting admin users
- Sudden loss of administrator access across the organization
Detection Strategies
- Monitor OpenProject audit logs for user lock/unlock events, specifically filtering for operations performed on administrator accounts
- Implement alerts for any administrator account status changes initiated by non-administrator users
- Review access patterns in user management functionality for unusual targeting of admin accounts
Monitoring Recommendations
- Enable comprehensive audit logging for all user management operations in OpenProject
- Configure SIEM rules to alert on administrator account lock events
- Regularly review the list of users with "Manage Users" permission and apply the principle of least privilege
How to Mitigate CVE-2026-24777
Immediate Actions Required
- Upgrade OpenProject to version 17.0.2 or later immediately
- Audit the list of users with "Manage Users" permission and reduce it to only essential personnel
- Review audit logs for any suspicious administrator account locking activity
- Verify that all administrator accounts are currently unlocked and accessible
Patch Information
The vulnerability has been fixed in OpenProject version 17.0.2. The patch adds the missing authorization check to ensure that users with the "Manage Users" permission cannot lock or unlock administrator accounts. Organizations should upgrade to this version or later to remediate the vulnerability.
For detailed patch information, see the GitHub Release v17.0.2 and the GitHub Security Advisory GHSA-fq66-cwg6-qq69.
Workarounds
- If immediate patching is not possible, temporarily revoke "Manage Users" permission from all non-administrator accounts until the upgrade can be completed
- Implement network-level access controls to restrict user management functionality to trusted IP addresses
- Enable additional monitoring and alerting on user management operations as a compensating control
# Review users with Manage Users permission in OpenProject
# Access the Administration panel and navigate to:
# Administration > Roles and permissions > Review "Manage users" permission assignments
# Recommended: Restrict Manage Users permission to administrators only
# until the upgrade to 17.0.2 is completed
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
