CVE-2026-30236

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.2.0

Description OpenProject is a web-based, open-source project management software. Before version 17.2.0, editing a project budget and planning labor costs did not verify if the user assigned to the budget was a project member. This exposed the user’s default rate to individuals who should not have access to this information. The pre-calculation endpoint, used for displaying cost previews, also failed to validate user membership, allowing costs to be calculated using the default rates of non-members. The vulnerable parameter is the user associated with the budget.

Recommendations Versions prior to 17.2.0 should be updated to version 17.2.0 or later.