{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40896", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T16:37:22.766Z", "datePublished": "2026-04-20T15:12:52.279Z", "dateUpdated": "2026-04-20T16:13:10.714Z"}, "containers": {"cna": {"title": "OpenProject has Cross-Project Meeting Agenda Item Injection via Unscoped Section Lookup", "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "lang": "en", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/opf/openproject/security/advisories/GHSA-hh5p-gwf8-h245", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opf/openproject/security/advisories/GHSA-hh5p-gwf8-h245"}, {"name": "https://github.com/opf/openproject/commit/8f693a1f35d0a84bb69af78fb6925f74329ae4fe", "tags": ["x_refsource_MISC"], "url": "https://github.com/opf/openproject/commit/8f693a1f35d0a84bb69af78fb6925f74329ae4fe"}], "affected": [{"vendor": "opf", "product": "openproject", "versions": [{"version": "< 17.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T15:12:52.279Z"}, "descriptions": [{"lang": "en", "value": "OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance \u2014 even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. Version 17.3.0 patches the issue."}], "source": {"advisory": "GHSA-hh5p-gwf8-h245", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/opf/openproject/security/advisories/GHSA-hh5p-gwf8-h245", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T16:13:05.532704Z", "id": "CVE-2026-40896", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:13:10.714Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40896", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T16:13:05.532704Z"}}}], "references": [{"url": "https://github.com/opf/openproject/security/advisories/GHSA-hh5p-gwf8-h245", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:12:58.827Z"}}], "cna": {"title": "OpenProject has Cross-Project Meeting Agenda Item Injection via Unscoped Section Lookup", "source": {"advisory": "GHSA-hh5p-gwf8-h245", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "opf", "product": "openproject", "versions": [{"status": "affected", "version": "< 17.3.0"}]}], "references": [{"url": "https://github.com/opf/openproject/security/advisories/GHSA-hh5p-gwf8-h245", "name": "https://github.com/opf/openproject/security/advisories/GHSA-hh5p-gwf8-h245", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/opf/openproject/commit/8f693a1f35d0a84bb69af78fb6925f74329ae4fe", "name": "https://github.com/opf/openproject/commit/8f693a1f35d0a84bb69af78fb6925f74329ae4fe", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance \u2014 even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. Version 17.3.0 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T15:12:52.279Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40896", "state": "PUBLISHED", "dateUpdated": "2026-04-20T16:13:10.714Z", "dateReserved": "2026-04-15T16:37:22.766Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-20T15:12:52.279Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenProject is open-source, web-based project management software. Prior to version 17.3.0, a user with `manage_agendas` permission in any project can inject agenda items into meetings belonging to any other project on the instance \u2014 even projects they have no access to. No knowledge of the target project, meeting, or victim is required; the attacker can blindly spray items into every meeting on the instance by iterating sequential section IDs. Version 17.3.0 patches the issue."}], "id": "CVE-2026-40896", "lastModified": "2026-04-20T19:03:07.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-20T16:16:48.567", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/opf/openproject/commit/8f693a1f35d0a84bb69af78fb6925f74329ae4fe"}, {"source": "security-advisories@github.com", "url": "https://github.com/opf/openproject/security/advisories/GHSA-hh5p-gwf8-h245"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/opf/openproject/security/advisories/GHSA-hh5p-gwf8-h245"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}, {"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}