CVE-2026-23646

OpenProject is an open-source, web-based project management software. Users of OpenProject versions prior to 16.6.5 and 17.0.1 have the ability to view and end their active sessions via Account Settings → Sessions. When deleting a session, it was not properly checked if the session belongs to the user. As the ID that is used to identify these session objects use incremental integers, users could iterate requests using `DELETE /my/sessions/:id` and thus unauthenticate other users. Users did not have access to any sensitive information (like browser identifier, IP addresses, etc) of other users that are stored in the session. The problem was patched in OpenProject versions 16.6.5 and 17.0.1. No known workarounds are available as this does not require any permissions or other that can temporarily be disabled.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/opf/openproject/releases/tag/v16.6.5	Release Notes
https://github.com/opf/openproject/releases/tag/v17.0.1	Release Notes
https://github.com/opf/openproject/security/advisories/GHSA-w422-xf8f-v4vp	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:openproject:openproject::::::::
	cpe:2.3:a:openproject:openproject:17.0.0:::::::*

History

No history.

Information

Published : 2026-01-19 18:16

Updated : 2026-02-02 20:46

NVD link : CVE-2026-23646

Mitre link : CVE-2026-23646

CVE.ORG link : CVE-2026-23646

JSON object : View

Products Affected

openproject

openproject

CWE

CWE-488

Exposure of Data Element to Wrong Session

{"id": "CVE-2026-23646", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-01-19T18:16:05.587", "references": [{"url": "https://github.com/opf/openproject/releases/tag/v16.6.5", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/opf/openproject/releases/tag/v17.0.1", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/opf/openproject/security/advisories/GHSA-w422-xf8f-v4vp", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-488"}]}], "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. Users of OpenProject versions prior to 16.6.5 and 17.0.1 have the ability to view and end their active sessions via Account Settings \u2192 Sessions. When deleting a session, it was not properly checked if the session belongs to the user. As the ID that is used to identify these session objects use incremental integers, users could iterate requests using `DELETE /my/sessions/:id` and thus unauthenticate other users. Users did not have access to any sensitive information (like browser identifier, IP addresses, etc) of other users that are stored in the session. The problem was patched in OpenProject versions 16.6.5 and 17.0.1. No known workarounds are available as this does not require any permissions or other that can temporarily be disabled."}], "lastModified": "2026-02-02T20:46:13.157", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4C6FE059-AB36-4883-AE55-2E65FDE51BD2", "versionEndExcluding": "16.6.5"}, {"criteria": "cpe:2.3:a:openproject:openproject:17.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "78FA3834-A1AB-4489-AE2A-2C7FAE9B619F"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}