CVE-2026-30239 Overview
CVE-2026-30239 is a Broken Access Control vulnerability in OpenProject, an open-source, web-based project management software. Prior to version 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action was executed. This allowed all users in the application to delete work package budget assignments, regardless of their authorization level.
Critical Impact
Any authenticated user can delete work package budget assignments without proper authorization, potentially disrupting project financial tracking and budget management across the organization.
Affected Products
- OpenProject versions prior to 17.2.0
Discovery Timeline
- 2026-03-11 - CVE CVE-2026-30239 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-30239
Vulnerability Analysis
This vulnerability is classified as CWE-863 (Incorrect Authorization). The flaw exists in the budget deletion workflow within OpenProject. When a budget is deleted, the system automatically reassigns associated work packages to a different budget. The critical issue is that this reassignment operation executes before the authorization check validates whether the user has permission to delete the budget.
This incorrect ordering of operations creates a time-of-check-time-of-use (TOCTOU) style vulnerability where unauthorized users can trigger the work package reassignment functionality simply by initiating a budget deletion request. Even if the permission check ultimately denies the delete operation, the damage is already done—work packages have been detached from their original budget assignments.
Root Cause
The root cause is an improper ordering of authorization checks within the budget deletion code path. The application performs the work package budget reassignment as a preliminary step before validating user permissions. This violates the security principle of checking authorization before performing any state-modifying operations.
In properly secured applications, permission verification should always occur at the earliest possible point in the request handling chain, before any business logic executes. The vulnerable code path processes the budget reassignment side effect first, then checks permissions, making the authorization check ineffective for preventing the reassignment action.
Attack Vector
The attack vector is network-based and requires low-privileged authenticated access to the OpenProject application. An attacker with any valid user account can exploit this vulnerability by sending a budget deletion request to the application.
The exploitation flow involves:
- An authenticated user identifies a target budget they want to disrupt
- The user initiates a budget deletion request through the application interface or API
- The application processes the work package reassignment before checking permissions
- Even if the permission check fails and returns an authorization error, the work packages have already been detached from the original budget
- This allows any authenticated user to effectively clear budget assignments across the project
For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-30239
Indicators of Compromise
- Unexpected changes to work package budget assignments in the database
- Authorization failure logs for budget deletion attempts followed by modified budget data
- Unusual patterns of budget deletion requests from low-privileged user accounts
- Audit log entries showing work packages being unassigned from budgets without corresponding successful deletion events
Detection Strategies
- Monitor application logs for failed budget deletion attempts that occur alongside database changes to work package budget fields
- Implement database-level auditing to track modifications to work package budget associations
- Review access logs for unusual patterns of DELETE requests targeting budget endpoints from users without budget management permissions
- Configure alerting for multiple failed authorization attempts combined with successful data modifications
Monitoring Recommendations
- Enable verbose logging for budget-related operations in OpenProject
- Implement integrity monitoring for work package budget assignment records
- Set up alerts for authorization failures on budget management endpoints
- Regularly audit work package budget assignments for unauthorized modifications
How to Mitigate CVE-2026-30239
Immediate Actions Required
- Upgrade OpenProject to version 17.2.0 or later immediately
- Audit recent budget deletion attempts and associated work package changes to identify potential exploitation
- Review user access logs for suspicious budget deletion requests from unauthorized accounts
- Consider temporarily restricting budget functionality to administrators until the patch is applied
Patch Information
This vulnerability is fixed in OpenProject version 17.2.0. The fix ensures that authorization checks are performed before any work package reassignment operations occur during budget deletion. Organizations should upgrade to this version or later to remediate the vulnerability.
For more details, see the GitHub Security Advisory.
Workarounds
- Restrict access to budget-related functionality through application-level or network-level controls until patching is possible
- Implement additional authorization checks at the web server or reverse proxy layer for budget deletion endpoints
- Monitor and alert on any budget deletion attempts pending the application update
- Consider disabling budget features temporarily if they are not critical to operations
# Example: Restrict budget endpoints via reverse proxy (nginx)
# Add to your OpenProject nginx configuration
location ~ ^/api/v3/budgets {
# Restrict to administrators only via IP or authentication
allow 10.0.0.0/8; # Admin network only
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
