cvedb.io
CVE-2026-30239
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2026-03-11T17:16:57.773 · Last modified 2026-06-17T10:32:32.813

Summary

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action was executed. This allowed all users in the application to delete work package budget assignments. This vulnerability is fixed in 17.2.0.

Affected products

openproject — openproject

Does this affect you?

Add your gear to cvedb and we'll alert you only when openproject ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.