CVE-2026-24777 — MEDIUM (6.7)

Q: How severe is CVE-2026-24777?

CVE-2026-24777 has been rated MEDIUM with a CVSS base score of 6.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-24777?

Check the references section above for vendor advisories and patch information. Affected products include: Openproject Openproject.

Vulnerability Description

OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for users of the application, but they were not supposed to be able to lock application administrators. Due to a missing permission check this logic was not enforced. The problem was fixed in OpenProject 17.0.2The problem was fixed in OpenProject 17.0.2.

CVSS Score

6.7

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Openproject	Openproject	< 17.0.2

Related Weaknesses (CWE)

CWE-862

References

https://github.com/opf/openproject/releases/tag/v17.0.2Release Notes
https://github.com/opf/openproject/security/advisories/GHSA-fq66-cwg6-qq69Vendor Advisory

FAQ

What is CVE-2026-24777?

CVE-2026-24777 is a vulnerability with a CVSS score of 6.7 (MEDIUM). OpenProject is an open-source, web-based project management software. Prior to 17.0.2, users with the Manage Users permission can lock and unlock users. This functionality should only be possible for ...

How severe is CVE-2026-24777?

CVE-2026-24777 has been rated MEDIUM with a CVSS base score of 6.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-24777?

Check the references section above for vendor advisories and patch information. Affected products include: Openproject Openproject.