CVE-2026-40896
Published: 20 April 2026
Summary
CVE-2026-40896 is a medium-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability in Openproject Openproject. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for accessing and modifying meetings and agendas, directly preventing cross-project injection due to insufficient authorization checks.
Requires timely identification, reporting, and correction of flaws like CVE-2026-40896, ensuring patches such as OpenProject 17.3.0 are applied to eliminate the authorization bypass.
Applies least privilege to restrict manage_agendas permissions to specific projects, limiting the scope and impact of unauthorized agenda injections even with flawed enforcement.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass (CWE-639) via insufficient project-scoped checks allows authenticated low-privilege users to inject/modify agenda items in unauthorized projects' meetings, directly enabling stored data manipulation.
NVD Description
OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access…
more
to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. Version 17.3.0 patches the issue.
Deeper analysisAI
CVE-2026-40896 is a vulnerability in OpenProject, an open-source web-based project management software. In versions prior to 17.3.0, users with the `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the same instance, including those they have no access to. This issue stems from insufficient authorization checks, mapped to CWE-367 (Time-of-check Time-of-use (TOCTOU) Race Condition) and CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N), indicating medium severity with high integrity impact.
An authenticated attacker requires only low-privilege access, specifically the `manage_agendas` permission in a single project, to exploit this over the network with low complexity and no user interaction. No prior knowledge of the target project, meeting, or victims is needed; the attacker can blindly enumerate and inject items into every meeting instance-wide by iterating sequential section IDs, effectively spraying malicious agenda content across projects.
The OpenProject security advisory (GHSA-hh5p-gwf8-h245) and associated patch commit confirm that upgrading to version 17.3.0 resolves the issue by enforcing proper project-scoped authorization for agenda management. Security practitioners should prioritize patching affected instances and review permissions for `manage_agendas` roles.
Details
- CWE(s)