CVE-2026-24776

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.0.2

Description OpenProject is a web-based project management software. A flaw existed in the drag-and-drop functionality for agenda items, where the system did not verify if the target meeting section belonged to the same meeting. This allowed an attacker to move agenda items into different meetings, potentially causing confusion, but did not grant access to those meetings. The issue involved the drag&drop handler and its handling of meeting sections, specifically when moving an agenda item to a different section.

Recommendations Update to version 17.0.2 or later.