Primary

Context

OpenProject Improper Access Control Vulnerability Allows User Managers to Lock Admin Accounts

Vulnerability

Patched

A vulnerability in OpenProject prior to version 17.0.2 allows users with the 'Manage Users' permission to lock and unlock accounts, including those of application administrators. This issue arises from a missing permission check, enabling unauthorized users to disrupt admin access. The vulnerability was concealed by a frontend flaw that only displayed lock/unlock options to full application administrators.

Impact

Exploitation of this vulnerability allows users with 'Manage Users' permission to lock application administrators out of their accounts, disrupting their access and potentially causing operational issues.

Remediation

The vulnerability has been patched in OpenProject version 17.0.2. Administrators should review and temporarily remove the 'Manage Users' permission from users until they can update to the patched version.

Added: Feb 9, 2026, 7:18 PM

Updated: Feb 9, 2026, 9:57 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

2.5

exploitability

5.2

remediation

8.3

relevance

2.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

2.5

exploitability

5.2

remediation

8.3

relevance

2.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenProject Improper Access Control Vulnerability Allows User Managers to Lock Admin Accounts

Vulnerability

Impact

Remediation

Affected Products

OpenProject

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating