CVE-2026-30239 — MEDIUM (6.5)

Q: How severe is CVE-2026-30239?

CVE-2026-30239 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-30239?

Check the references section above for vendor advisories and patch information. Affected products include: Openproject Openproject.

Vulnerability Description

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action was executed. This allowed all users in the application to delete work package budget assignments. This vulnerability is fixed in 17.2.0.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Openproject	Openproject	< 17.2.0

Related Weaknesses (CWE)

CWE-863

References

https://github.com/opf/openproject/security/advisories/GHSA-gpvh-g967-g4h8Vendor Advisory

FAQ

What is CVE-2026-30239?

CVE-2026-30239 is a vulnerability with a CVSS score of 6.5 (MEDIUM). OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different bud...

How severe is CVE-2026-30239?

CVE-2026-30239 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-30239?

Check the references section above for vendor advisories and patch information. Affected products include: Openproject Openproject.