CVE-2026-30239

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.2.0

Description OpenProject is an open-source, web-based project management software. Before version 17.2.0, deleting a budget did not perform a permission check before reassigning associated work packages to a different budget. This allowed all users of the application to delete work package budget assignments. The issue involves a bypass of the permission check during budget deletion, leading to unintended reassignment of work packages.

Recommendations Update OpenProject to version 17.2.0 or later.