Medium severity6.5NVD Advisory· Published Apr 20, 2026· Updated Apr 23, 2026
CVE-2026-40896
CVE-2026-40896
Description
OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with manage_agendas permission in any project can inject agenda items into meetings belonging to any other project on the instance — even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. Version 17.3.0 patches the issue.
Affected products
1Patches
18f693a1f35d0Update security fixes
1 file changed · +49 −0
docs/release-notes/17-3-0/README.md+49 −0 modified@@ -16,6 +16,55 @@ release_date: 2026-04-15 <!-- BEGIN CVE AUTOMATED SECTION --> +## Security fixes + + + +### CVE-2026-33667 - 2FA OTP Verification Missing Rate Limiting + +The 2FA OTP verification (`confirm_otp` action) has no rate limiting, lockout mechanism, or failed-attempt tracking. An attacker who knows a user's password can brute-force the 6-digit TOTP code without any protection slowing or blocking the attempts. + + + +The existing `brute_force_block_after_failed_logins` setting only counts password login failures and does not apply to the 2FA verification stage. + + + +This vulnerability was reported by GitHub user [Wernerina](https://github.com/Wernerina). Thank you for responsibly disclosing your findings. + + + +For more information, please see the [GitHub advisory #GHSA-234r-45m2-w6cv](https://github.com/opf/openproject/security/advisories/GHSA-234r-45m2-w6cv) + + + +### GHSA-hh5p-gwf8-h245 - Cross-Project Meeting Agenda Item Injection via Unscoped Section Lookup + +A user with \`manage\_agendas\` permission in any project can inject agenda items into meetings belonging to \*\*any other project\*\* on the instance — even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. + + + +This vulnerability was reported through GitHub advisories by user [jeroengui](https://github.com/jeroengui) + + + +For more information, please see the [GitHub advisory #GHSA-hh5p-gwf8-h245](https://github.com/opf/openproject/security/advisories/GHSA-hh5p-gwf8-h245) + + + +### GHSA-qr54-686p-j34x - Reminders Leak Work Package Data After Access Revocation + +Reminder listing exposes work package IDs, subjects, and user-authored notes were remaining after the user's project access is revoke + + + +This vulnerability was reported by GitHub user [DAVIDAROCA27](https://github.com/DAVIDAROCA27) + + + +For more information, please see the [GitHub advisory #GHSA-qr54-686p-j34x](https://github.com/opf/openproject/security/advisories/GHSA-qr54-686p-j34x) + + <!-- END CVE AUTOMATED SECTION --> ## Important feature changes
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/opf/openproject/commit/8f693a1f35d0a84bb69af78fb6925f74329ae4fenvdPatch
- github.com/opf/openproject/security/advisories/GHSA-hh5p-gwf8-h245nvdExploitMitigationVendor Advisory
News mentions
0No linked articles in our index yet.