CVE-2026-40896 Overview
CVE-2026-40896 is a broken access control vulnerability in OpenProject, an open-source web-based project management platform. The flaw allows any authenticated user holding the manage_agendas permission in a single project to inject agenda items into meetings belonging to any other project on the instance. Attackers do not need access, visibility, or prior knowledge of the target project or meeting. By iterating sequential section IDs, an adversary can blindly spray agenda items across every meeting on the instance. OpenProject version 17.3.0 resolves the issue.
Critical Impact
Authenticated users with limited project permissions can tamper with meeting agendas across the entire OpenProject instance, including projects they cannot otherwise view.
Affected Products
- OpenProject versions prior to 17.3.0
- Self-hosted OpenProject deployments with multi-project configurations
- Any OpenProject instance where users hold manage_agendas in at least one project
Discovery Timeline
- 2026-04-20 - CVE-2026-40896 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-40896
Vulnerability Analysis
The vulnerability resides in the meeting agenda subsystem of OpenProject. The application checks whether the requesting user holds the manage_agendas permission, but it does not verify that the permission applies to the project that owns the targeted meeting section. As a result, the authorization check passes globally rather than per-project, breaking OpenProject's project isolation model.
The issue is classified under [CWE-367] (Time-of-Check Time-of-Use) in the advisory, reflecting an inconsistency between the permission scope validated at request time and the resource ultimately modified. The practical effect is a broken access control flaw enabling cross-tenant write access within a single instance.
Attackers can manipulate agenda content, inject misleading meeting items, or disrupt operational workflows. The integrity impact is rated high, while confidentiality impact is limited to information disclosed through error responses or returned object metadata.
Root Cause
The root cause is missing project-scoped authorization on the agenda item creation endpoint. The controller validates that the caller has manage_agendas somewhere in the system, then accepts a section ID from user input and writes to whichever meeting that ID belongs to. No check ties the user's permission grant to the project owning the section.
Attack Vector
Exploitation requires only a low-privileged authenticated account with manage_agendas in any project, including a project the attacker created themselves. The attacker enumerates section IDs sequentially over the network-facing API and submits crafted agenda item payloads. Because section IDs are predictable integers, blind enumeration is straightforward. No user interaction or social engineering is needed.
The upstream fix can be reviewed in the OpenProject patch commit 8f693a1f and the GitHub Security Advisory GHSA-hh5p-gwf8-h245.
Detection Methods for CVE-2026-40896
Indicators of Compromise
- Agenda items in meetings authored by users who lack membership in the owning project
- Bursts of sequential POST requests to meeting section endpoints with incrementing section IDs from a single account
- Audit log entries showing agenda modifications across multiple unrelated projects within a short window
- Unexpected agenda content appearing in meetings owned by isolated or confidential projects
Detection Strategies
- Correlate the requesting user's project memberships against the project ID of the meeting modified in each agenda write operation
- Alert when a single authenticated session writes to agendas in more than a small threshold of distinct projects within a defined interval
- Hunt historical web server logs for enumeration patterns targeting agenda or section API paths
Monitoring Recommendations
- Ingest OpenProject application logs and Rails audit events into a centralized logging or SIEM platform for analysis
- Track the manage_agendas permission grant inventory and flag accounts that exercise it across project boundaries
- Monitor HTTP response codes on agenda endpoints for high volumes of 2xx responses tied to enumeration sequences
How to Mitigate CVE-2026-40896
Immediate Actions Required
- Upgrade OpenProject to version 17.3.0 or later as the primary remediation
- Audit which users hold the manage_agendas permission and revoke it from accounts that do not require it
- Review meeting agendas across all projects for unauthorized or anomalous items added before the upgrade
Patch Information
OpenProject version 17.3.0 contains the fix. The corrective change is published in commit 8f693a1f and documented in GHSA-hh5p-gwf8-h245. The patch enforces project-scoped authorization when adding agenda items so that the manage_agendas permission is validated against the project owning the target section.
Workarounds
- Restrict the manage_agendas permission to trusted administrators until the upgrade is applied
- Limit network exposure of the OpenProject instance to authenticated internal users where feasible
- Increase logging verbosity on meeting and agenda endpoints to detect exploitation attempts during the patch window
# Verify the installed OpenProject version before and after upgrade
sudo openproject run bundle exec rake version
# Expected output after remediation: OpenProject 17.3.0 or newer
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
