CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-52779

mediumCVSS 5.4covered by 1 sourcefirst seen 2026-06-26
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, a cross-project IDOR / authorization context confusion in the Calendar and Team Planner modules allows a user with management permissions in one project to delete public Calendar or Team Planner Queries from another project where they do not have the corresponding management permissions. Both modules authorize the request against the project identified by :project_id in the URL, but the actual Query object is loaded later by :id from Query.visible(current_user) without verifying that the loaded Query belongs to the authorized project. As a result, an attacker can use permissions from Project A to delete shared/public Calendar or Team Planner views from Project B, causing integrity impact and limited availability impact for users relying on those shared views. This vulnerability is fixed in 17.3.3 and 17.4.1.

⚡ Watch CVE-2026-52779

Get an email if CVE-2026-52779 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-52779

CVE.org record

Embed the live status

CVE-2026-52779 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-52779 status](https://www.csirts.com/badge/CVE-2026-52779)](https://www.csirts.com/cve/CVE-2026-52779)