CVE-2026-27723 Overview
CVE-2026-27723 is an Improper Access Control vulnerability affecting OpenProject, an open-source, web-based project management software. Prior to versions 17.0.5 and 17.1.2, an attacker can create wiki pages belonging to unpermitted projects through an improperly authenticated request. This vulnerability allows authenticated users to bypass project-level authorization controls and create content in projects they should not have access to.
Critical Impact
Authenticated attackers can bypass project permissions to create unauthorized wiki pages in restricted projects, potentially leading to data tampering, misinformation injection, or unauthorized information disclosure within organizational project management workflows.
Affected Products
- OpenProject versions prior to 17.0.5
- OpenProject versions prior to 17.1.2
Discovery Timeline
- 2026-03-05 - CVE-2026-27723 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-27723
Vulnerability Analysis
This vulnerability stems from improper access control (CWE-284) in OpenProject's wiki page creation functionality. The application fails to properly validate user permissions when processing wiki page creation requests, allowing authenticated users to create pages in projects where they lack the necessary authorization.
The flaw exists in how OpenProject handles authentication checks for wiki-related API endpoints. While the application properly validates user authentication, it does not adequately verify that the authenticated user has the specific project-level permissions required to create wiki content in the target project. This creates a horizontal privilege escalation scenario where a user with access to one project can manipulate wiki content in other projects they should not be able to modify.
Root Cause
The root cause is an improper authentication check in the wiki page creation request handler. The endpoint validates that the user is authenticated to the OpenProject instance but fails to enforce project-specific authorization checks. This means any authenticated user can craft a request specifying a project identifier for which they lack write permissions, and the application will process the wiki page creation without properly validating the user's relationship to that project.
Attack Vector
The attack is network-based and requires low privileges (an authenticated user account). An attacker with a valid OpenProject account can exploit this vulnerability by sending a crafted HTTP request to the wiki page creation endpoint, specifying a target project ID for a project they do not have access to. The improperly authenticated request processing allows the wiki page to be created despite the lack of proper authorization.
The attack requires no user interaction and can be executed directly against the vulnerable endpoint. Since this is an access control bypass rather than a complete authentication bypass, the attacker must have valid credentials to any project within the OpenProject instance to exploit the vulnerability.
Detection Methods for CVE-2026-27723
Indicators of Compromise
- Unexpected wiki pages appearing in projects with restricted access controls
- Audit logs showing wiki page creation events from users not assigned to the target project
- API request logs showing wiki creation attempts targeting project IDs inconsistent with user permissions
- User activity patterns indicating cross-project wiki operations that violate established access policies
Detection Strategies
- Monitor OpenProject audit logs for wiki page creation events and cross-reference with project membership data
- Implement alerting on wiki creation API calls where the requesting user is not a member of the target project
- Review web server access logs for suspicious patterns in wiki-related endpoint requests
- Deploy application-layer monitoring to detect authorization bypass attempts
Monitoring Recommendations
- Enable detailed audit logging for all wiki-related operations in OpenProject
- Configure SIEM rules to correlate wiki creation events with user-project membership data
- Establish baseline user behavior patterns for wiki operations and alert on anomalies
- Regularly review wiki content across projects to identify unauthorized additions
How to Mitigate CVE-2026-27723
Immediate Actions Required
- Upgrade OpenProject to version 17.0.5 or 17.1.2 immediately
- Review wiki content across all projects for unauthorized pages created prior to patching
- Audit user activity logs to identify potential exploitation attempts
- Temporarily restrict wiki creation permissions to trusted users until patching is complete
Patch Information
OpenProject has released patched versions that address this vulnerability. Organizations should upgrade to one of the following versions:
- OpenProject v17.0.5 - Patched release for the 17.0.x branch
- OpenProject v17.1.2 - Patched release for the 17.1.x branch
For detailed information about this security issue, refer to the GitHub Security Advisory GHSA-9gc6-3xjq-pwc9.
Workarounds
- Restrict wiki creation permissions at the application level to only trusted administrators until patching is feasible
- Implement network-level access controls to limit which users can access wiki-related API endpoints
- Enable mandatory review workflows for wiki content creation to catch unauthorized additions
- Consider temporarily disabling wiki functionality if it is not business-critical until the patch is applied
# Example: Check current OpenProject version
openproject version
# Example: Upgrade OpenProject using packaged installation
sudo openproject reconfigure
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
