CVE-2026-27723

OpenProject is an open-source, web-based project management software. Prior to versions 17.0.5 and 17.1.2, an attacker can create wiki pages belonging to unpermitted projects through an improperly authenticated request. This issue has been patched in versions 17.0.5 and 17.1.2.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/opf/openproject/releases/tag/v17.0.5	Product Release Notes
https://github.com/opf/openproject/releases/tag/v17.1.2	Product Release Notes
https://github.com/opf/openproject/security/advisories/GHSA-9gc6-3xjq-pwc9	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:openproject:openproject::::::::
	cpe:2.3:a:openproject:openproject::::::::

History

10 Mar 2026, 18:21

Type	Values Removed	Values Added
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:a:openproject:openproject::::::::
Summary		(es) OpenProject es un software de gestión de proyectos de código abierto basado en la web. Antes de las versiones 17.0.5 y 17.1.2, un atacante puede crear páginas wiki pertenecientes a proyectos no autorizados a través de una solicitud con autenticación incorrecta. Este problema ha sido parcheado en las versiones 17.0.5 y 17.1.2.
First Time		Openproject openproject Openproject
References	~~() https://github.com/opf/openproject/releases/tag/v17.0.5 -~~	() https://github.com/opf/openproject/releases/tag/v17.0.5 - Product, Release Notes
References	~~() https://github.com/opf/openproject/releases/tag/v17.1.2 -~~	() https://github.com/opf/openproject/releases/tag/v17.1.2 - Product, Release Notes
References	~~() https://github.com/opf/openproject/security/advisories/GHSA-9gc6-3xjq-pwc9 -~~	() https://github.com/opf/openproject/security/advisories/GHSA-9gc6-3xjq-pwc9 - Vendor Advisory

05 Mar 2026, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-05 19:16

Updated : 2026-03-10 18:21

NVD link : CVE-2026-27723

Mitre link : CVE-2026-27723

CVE.ORG link : CVE-2026-27723

JSON object : View

Products Affected

openproject

openproject

CWE

CWE-284

Improper Access Control

NVD-CWE-noinfo

{"id": "CVE-2026-27723", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2026-03-05T19:16:05.660", "references": [{"url": "https://github.com/opf/openproject/releases/tag/v17.0.5", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/opf/openproject/releases/tag/v17.1.2", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/opf/openproject/security/advisories/GHSA-9gc6-3xjq-pwc9", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. Prior to versions 17.0.5 and 17.1.2, an attacker can create wiki pages belonging to unpermitted projects through an improperly authenticated request. This issue has been patched in versions 17.0.5 and 17.1.2."}, {"lang": "es", "value": "OpenProject es un software de gesti\u00f3n de proyectos de c\u00f3digo abierto basado en la web. Antes de las versiones 17.0.5 y 17.1.2, un atacante puede crear p\u00e1ginas wiki pertenecientes a proyectos no autorizados a trav\u00e9s de una solicitud con autenticaci\u00f3n incorrecta. Este problema ha sido parcheado en las versiones 17.0.5 y 17.1.2."}], "lastModified": "2026-03-10T18:21:31.617", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9F0A8442-0E13-46ED-8123-1E19A94A47D6", "versionEndExcluding": "17.0.5"}, {"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "02E31D6F-C404-4FAC-B21F-E477E2314A8D", "versionEndExcluding": "17.1.2", "versionStartIncluding": "17.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}