CVE-2026-24777

Published: Feb 9, 2026

Modified: Feb 9, 2026

PUBLISHED

CVSS v3.1

6.7

MEDIUM

Description

OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for users of the application, but they were not supposed to be able to lock application administrators. Due to a missing permission check this logic was not enforced. The problem was fixed in OpenProject 17.0.2The problem was fixed in OpenProject 17.0.2.

Vendor	Product	Versions
opf	openproject	affected `< 17.0.2`

Weaknesses (CWE)

CWE-862

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

High

References

https://github.com/opf/openproject/security/advisories/GHSA-fq66-cwg6-qq69

x_refsource_CONFIRM

https://github.com/opf/openproject/releases/tag/v17.0.2

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-24777

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References