Primary

Context

OpenProject Default Rate Exposure Vulnerability for Non-Members in Labor Budget Planning

Vulnerability

Patched

A vulnerability in OpenProject prior to version 17.2.0 allows users to access the default labor rate of non-project members when planning project budgets. The issue arises because the software fails to verify whether a user is a project member before allowing their default rate to be used in budget calculations. This flaw also affects the cost pre-calculation endpoint, which does not properly validate user membership, enabling the use of non-member rates in cost estimates.

Impact

Exploitation of this vulnerability could lead to unauthorized access to default labor rates of users who are not project members, allowing for potential misuse of this information in budget planning.

Remediation

Users can upgrade to OpenProject version 17.2.0 or later to address this vulnerability.

Added: Mar 11, 2026, 5:24 PM

Updated: Mar 11, 2026, 5:24 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

0.6

exploitability

4.8

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

0.6

exploitability

4.8

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenProject Default Rate Exposure Vulnerability for Non-Members in Labor Budget Planning

Vulnerability

Impact

Remediation

Affected Products

OpenProject

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating