Primary

Context

OpenProject Budget Deletion Permission Check Bypass Vulnerability Allowing Work Package Reassignment

Vulnerability

Patched

A vulnerability exists in OpenProject versions prior to 17.2.0, where the permission check for deleting budgets was not properly enforced. When a budget is deleted, the associated work packages must be reassigned to a different budget. However, the deletion process allowed all users to remove work package budget assignments without the necessary permissions. This issue has been addressed in version 17.2.0.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion of work package budget assignments, allowing users to manipulate budget allocations without proper oversight.

Remediation

Users can upgrade to OpenProject version 17.2.0 or later to address this vulnerability.

Added: Mar 11, 2026, 5:23 PM

Updated: Mar 11, 2026, 5:23 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

0.6

exploitability

5.2

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

0.6

exploitability

5.2

remediation

7.7

relevance

3.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenProject Budget Deletion Permission Check Bypass Vulnerability Allowing Work Package Reassignment

Vulnerability

Impact

Remediation

Affected Products

OpenProject

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating