CVE-2026-30239
CWE-863Published: March 11, 2026· Updated: Mar 13, 2026
Official Description
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, when budgets are deleted, the work packages that were assigned to this budget need to be moved to a different budget. This action was performed before the permission check on the delete action was executed. This allowed all users in the application to delete work package budget assignments. This vulnerability is fixed in 17.2.0.
Technical Analysis
CVE-2026-30239 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
A successful exploit results in full integrity compromise (data manipulation), with a CVSS base score of 7.1.
CVSS v3.1 Vector Breakdown
Affected Vendors & Products
Exploit & PoC Resources
Official Patches & Advisories
All References (1)
Quick Facts
Related CVEs (CWE-863)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-30239 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts