HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-52782Published Modified CNA GitHub_M

CVE-2026-52782: OpenProject: IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources. A project-admin in one project can hijack the managed Nextcloud or OneDrive folder of another project on the same storage by writing the victim project's project_folder_id into the attacker's Storages::ProjectStorage row. The next managed-folder sync overwrites the ACL on the referenced folder with the attacker project's user list. This vulnerability is fixed in 17.3.3 and 17.4.1.

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an Insecure Direct Object Reference (IDOR) vulnerability in OpenProject, the open-source web-based project management platform. The flaw is reachable over the network by any authenticated low-privilege user (specifically a project administrator in one project) with no additional interaction required, and it carries a CVSS 9.9 Critical score because its scope extends beyond the vulnerable component. Successful exploitation lets an attacker hijack a Nextcloud or OneDrive folder belonging to a different project on the same storage, overwrite its access-control list with their own project's user list, and gain full read, write, and availability impact over that storage resource. No fix versions have been published upstream yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-52782 is ingested from upstream advisory feeds within minutes of publication and matched against any customer image running an affected version of OpenProject, including custom-built images that bundle the package. Coverage extends to both registry scans and in-pipeline image checks on every build.

Available
Triage

HarborGuard surfaces this CVE with its upstream CVSS v3.1 score of 9.9 (Critical) and applies per-environment compliance policy weighting to determine urgency tier. Triage results are routed to the appropriate team inbox inside each customer organization based on configured ownership rules for the affected workload.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment OpenProject ships a corrective release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention as soon as a fix version is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is served over HTTP/HTTPS, so the attacker must be able to reach the OpenProject instance across the network.

  • AuthenticationRequired

    The attacker must hold a low-privilege account, specifically project-admin rights on at least one project within the target OpenProject instance.

  • Victim interactionNot required

    No action by any other user or administrator is needed to carry out the IDOR write; the attacker submits the malicious PATCH request directly.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is straightforward and reliable with no race conditions or special environmental prerequisites required.

Blast Radius

  • Reads all files stored in the hijacked Nextcloud or OneDrive project folder, exposing documents, attachments, and any sensitive project data belonging to the victim project.
  • Modifies or deletes files in the hijacked folder after the managed-folder sync rewrites the ACL, giving the attacker full write control over the victim project's storage.
  • Overwrites the folder's access-control list with the attacker's project user list, permanently locking out legitimate members of the victim project until the ACL is manually restored.
  • Because the CVSS scope is Changed, impact can extend beyond the OpenProject application itself to the connected Nextcloud or OneDrive storage backend and every user or system that depends on it.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-52782 has been published, HarborGuard re-evaluates the advisory on every ingest cycle and will surface a patched-image rebuild the moment OpenProject releases version 17.3.3 or 17.4.1. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger automatically without manual action. In the interim, compensating controls worth considering include network-policy isolation to restrict which internal principals can reach the OpenProject PATCH endpoint, egress filtering on the OpenProject host to limit unsanctioned calls to connected storage backends, and review of project-admin role assignments to minimize the number of accounts that carry that privilege level across projects sharing a common storage. HarborGuard will emit a re-triage notification to the configured team inbox as soon as upstream publishes a fix.

See how HarborGuard automates this
Affected packages
  • opf / openproject
    < 17.3.3 · >= 17.4.0, < 17.4.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References