PT-2026-3465 · Unknown · Openproject
Syndrome-Impostor
·
Published
2026-01-19
·
Updated
2026-02-02
·
CVE-2026-23646
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
OpenProject versions prior to 16.6.5
OpenProject versions prior to 17.0.1
Description
OpenProject is a web-based project management software. Users of affected versions could potentially unauthenticate other users by iterating requests to the
DELETE /my/sessions/:id API endpoint with manipulated session IDs (id). This occurred because the system did not properly verify if a session belonged to the user attempting to delete it. While users could not access sensitive information like browser identifiers or IP addresses, they could terminate other users' active sessions.Recommendations
Update OpenProject to version 16.6.5 or later.
Update OpenProject to version 17.0.1 or later.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openproject