CRITICAL🇵🇱 Wersja polska

CVE-2026-52782

CVSS 9.9v3.1pub. 2026-06-26upd. 2026-06-29

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources. A project-admin in one project can hijack the managed Nextcloud or OneDrive folder of another project on the same storage by writing the victim project's project_folder_id into the attacker's Storages::ProjectStorage row. The next managed-folder sync overwrites the ACL on the referenced folder with the attacker project's user list. This vulnerability is fixed in 17.3.3 and 17.4.1.

🤖 AI Analysis
How it works

An attacker who is a project administrator sends a PATCH request to the endpoint /projects/<A>/settings/project_storages/<A_ps_id>, manipulating the 'storages_project_storage[project_folder_id]' parameter by specifying a folder identifier belonging to another project. The application does not properly verify whether the specified folder belongs to the attacker's project, and saves the foreign folder identifier in the Storages::ProjectStorage record of the attacker's project. During the next synchronization of managed folders, the system overwrites the access control lists (ACLs) on the taken-over folder with the list of users from the attacker's project, effectively taking control of someone else's resource.

Impact

Attacker gains unauthorized access to Nextcloud or OneDrive folders belonging to other projects and can overwrite their permissions, leading to disclosure of sensitive data, modification, or loss of access for legitimate users.

Mitigation & patch

OpenProject should be updated to version 17.3.3 or 17.4.1, in which the vulnerability has been fixed. Detailed information is available in the producer's security advisory at https://github.com/opf/openproject/security/advisories/GHSA-3vpx-94qx-xpw6

Who is affected

OpenProject in versions before 17.3.3 (17.3.x branch) and before 17.4.1 (17.4.x branch), using integration with Nextcloud or OneDrive file storage

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
IDOR
CWE
References