Primary

Context

OpenProject Meeting Agenda Item Transfer Vulnerability via Improper Drag-and-Drop Handling

Vulnerability

Patched

A vulnerability in OpenProject prior to version 17.0.2 allows for the improper transfer of meeting agenda items between different meetings. The issue arises because the drag-and-drop functionality does not adequately verify whether the target section belongs to the same meeting or is part of the backlog for recurring meetings. As a result, an attacker could move agenda items into another meeting, potentially causing confusion, although they would not gain access to the meetings themselves.

Impact

Exploitation of this vulnerability could lead to cross-project transfer of meeting agenda items, causing confusion by misplacing agenda items in incorrect meetings.

Remediation

Users can update to OpenProject version 17.0.2, which addresses this vulnerability. If an immediate update is not possible, administrators can review and manage the 'Manage Agenda Items' permission for users.

Added: Feb 6, 2026, 6:29 PM

Updated: Feb 6, 2026, 10:51 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

0.6

exploitability

4.8

remediation

8.3

relevance

2.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

0.6

exploitability

4.8

remediation

8.3

relevance

2.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenProject Meeting Agenda Item Transfer Vulnerability via Improper Drag-and-Drop Handling

Vulnerability

Impact

Remediation

Affected Products

OpenProject

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating