CVE-2026-30236 Overview
OpenProject is an open-source, web-based project management software that contains an authorization bypass vulnerability in its project budget functionality. Prior to version 17.2.0, when editing a project budget and planning labor costs, the application failed to verify that users planned in the budget are actual project members. This vulnerability exposes the default rate information of non-member users to unauthorized users, constituting a broken access control issue (CWE-863).
Critical Impact
Unauthorized disclosure of sensitive user rate information through improper membership validation in budget planning and cost calculation endpoints.
Affected Products
- OpenProject versions prior to 17.2.0
- OpenProject budget planning module
- OpenProject cost calculation API endpoint
Discovery Timeline
- 2026-03-11 - CVE CVE-2026-30236 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-30236
Vulnerability Analysis
This vulnerability falls under the category of Broken Access Control, specifically an authorization bypass (CWE-863: Incorrect Authorization). The OpenProject application contains two distinct points of failure in its access control implementation:
Budget Planning Interface: When editing project budgets and planning labor costs, the application does not validate that the user being planned in the budget is an actual member of the project. This allows authenticated users with budget editing privileges to add any user (including non-members) to the budget, inadvertently exposing their default rate information.
Cost Preview Endpoint: The API endpoint responsible for pre-calculating costs for the frontend display similarly lacks proper membership validation. This allows attackers to calculate costs using the default rates of users who are not project members, exposing potentially confidential billing rate data.
The vulnerability requires authentication and some level of access to budget planning features, but enables horizontal information disclosure across organizational boundaries within the same OpenProject instance.
Root Cause
The root cause is missing authorization checks in the budget planning and cost calculation functionality. The application assumes that any user reference provided during budget planning is valid without verifying project membership status. This oversight allows the retrieval and calculation of sensitive rate information for users outside the intended access scope.
Attack Vector
An attacker with authenticated access to OpenProject and budget editing privileges can exploit this vulnerability through the following approach:
The attack leverages the budget planning interface where an authenticated user with project budget editing permissions can reference any user ID in the system, not just project members. When a non-member user ID is supplied, the application returns or uses that user's default rate in calculations. Additionally, the cost preview endpoint can be called directly to calculate costs using arbitrary user IDs, bypassing the intended restriction that should limit rate visibility to project members only.
For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-30236
Indicators of Compromise
- Unusual budget planning activities involving users not assigned to projects
- API calls to cost calculation endpoints with user IDs not associated with the requesting project
- Audit logs showing budget modifications that reference external users
- Anomalous patterns of user rate lookups across multiple projects
Detection Strategies
- Monitor budget planning API endpoints for requests containing user IDs that are not project members
- Implement logging for all rate information access and cross-reference with project membership data
- Set up alerts for bulk user rate lookups or rapid enumeration patterns
- Review audit logs for budget modifications that reference users outside the project team
Monitoring Recommendations
- Enable detailed logging on budget and cost calculation endpoints
- Implement rate limiting on cost preview API calls to prevent enumeration attacks
- Configure alerts for access attempts to rate information across project boundaries
- Regularly audit project memberships against budget planning data for anomalies
How to Mitigate CVE-2026-30236
Immediate Actions Required
- Upgrade OpenProject to version 17.2.0 or later immediately
- Review existing budget configurations for references to non-member users
- Audit access logs for potential exploitation attempts prior to patching
- Notify affected users whose rate information may have been exposed
Patch Information
The vulnerability is fixed in OpenProject version 17.2.0. Organizations should upgrade to this version or later to remediate the vulnerability. The fix implements proper membership validation in both the budget planning interface and the cost calculation endpoint.
For additional details and patch information, see the GitHub Security Advisory.
Workarounds
- Restrict budget editing permissions to only the most trusted users until the patch can be applied
- Implement network-level access controls to limit exposure of the OpenProject instance
- Remove default rate configurations for users who do not require them
- Consider implementing additional proxy-level validation for budget-related API endpoints
# Example: Verify current OpenProject version
openproject version
# Upgrade OpenProject to patched version
sudo openproject reconfigure
# After upgrade, verify version is 17.2.0 or later
openproject version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
