Primary

Context

OpenProject Session Management Vulnerability Allowing Unauthorized Session Termination

Vulnerability

Patched

A vulnerability exists in OpenProject versions prior to 16.6.5 and 17.0.1, allowing users to terminate other users' active sessions. This issue arises because the application does not properly verify session ownership when a session is deleted. Users can exploit this by sending requests to delete sessions using the session ID, which is an incremental integer. Although this vulnerability does not expose any sensitive information from the session, it improperly disrupts other users' sessions.

Impact

Exploitation of this vulnerability allows users to log out other users by terminating their active sessions.

Remediation

Users are advised to update OpenProject to version 16.6.5 or 17.0.1.

Added: Jan 19, 2026, 6:26 PM

Updated: Jan 19, 2026, 6:26 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

1.3

exploitability

4.8

remediation

7.7

relevance

2.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

1.3

exploitability

4.8

remediation

7.7

relevance

2.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenProject Session Management Vulnerability Allowing Unauthorized Session Termination

Vulnerability

Impact

Remediation

Affected Products

OpenProject

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating