CVE-2026-23646: CWE-488: Exposure of Data Element to Wrong Session in opf openproject
CVE-2026-23646 is a medium-severity vulnerability in OpenProject versions prior to 16. 6. 5 and version 17. 0. 0, where users can delete other users' active sessions due to improper session ownership validation. This allows an attacker to unauthenticate other users by iterating session IDs in DELETE requests without needing elevated permissions or user interaction. Although no sensitive session data is exposed, the ability to forcibly log out users can disrupt availability and workflow. The issue was fixed in OpenProject 16. 6. 5 and 17.
AI Analysis
Technical Summary
CVE-2026-23646 is a vulnerability categorized under CWE-488 (Exposure of Data Element to Wrong Session) affecting the open-source project management software OpenProject. The flaw exists in the session management functionality where users can view and delete their active sessions via the Account Settings interface. The vulnerability arises because the DELETE endpoint for sessions (`DELETE /my/sessions/:id`) does not properly verify that the session ID being deleted belongs to the authenticated user. Since session IDs are incremental integers, an attacker can enumerate session IDs and delete sessions belonging to other users, effectively logging them out. This unauthorized session termination does not expose sensitive session data such as IP addresses or browser identifiers, but it impacts availability by disrupting user sessions. The vulnerability requires no special permissions or user interaction, making it easier to exploit remotely. The issue was patched in OpenProject versions 16.6.5 and 17.0.1. The CVSS v3.1 score is 6.5 (medium), reflecting network attack vector, low complexity, no privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, but high impact on availability. No known exploits have been reported in the wild, and no temporary mitigations are available other than upgrading to fixed versions.
Potential Impact
For European organizations using vulnerable OpenProject versions, this vulnerability can lead to denial-of-service conditions by allowing attackers to forcibly log out legitimate users. This disruption can affect productivity, especially in environments relying heavily on OpenProject for project management and collaboration. Although no confidential information is exposed, the forced session termination could be leveraged in targeted attacks to disrupt workflows or as part of a broader attack strategy. Organizations with many users or critical projects managed via OpenProject may experience operational impacts. Additionally, repeated forced logouts could lead to user frustration and potential loss of trust in the platform's reliability. Since the vulnerability requires no authentication or user interaction, it poses a moderate risk if the OpenProject instance is exposed to untrusted networks or the internet.
Mitigation Recommendations
The primary and only effective mitigation is to upgrade OpenProject installations to version 16.6.5 or 17.0.1 or later, where the session ownership verification flaw is fixed. Organizations should audit their OpenProject versions and prioritize patching vulnerable instances. If immediate patching is not feasible, restricting access to the OpenProject web interface via network controls such as VPNs, IP whitelisting, or web application firewalls can reduce exposure. Monitoring web server logs for unusual DELETE requests to the sessions endpoint may help detect exploitation attempts. Additionally, implementing multi-factor authentication and session timeout policies can reduce the window of opportunity for attackers. Regular backups and incident response plans should be in place to quickly recover from any disruption caused by forced logouts.
Affected Countries
Germany, United Kingdom, France, Netherlands, Sweden, Belgium, Switzerland
CVE-2026-23646: CWE-488: Exposure of Data Element to Wrong Session in opf openproject
Description
CVE-2026-23646 is a medium-severity vulnerability in OpenProject versions prior to 16. 6. 5 and version 17. 0. 0, where users can delete other users' active sessions due to improper session ownership validation. This allows an attacker to unauthenticate other users by iterating session IDs in DELETE requests without needing elevated permissions or user interaction. Although no sensitive session data is exposed, the ability to forcibly log out users can disrupt availability and workflow. The issue was fixed in OpenProject 16. 6. 5 and 17.
AI-Powered Analysis
Technical Analysis
CVE-2026-23646 is a vulnerability categorized under CWE-488 (Exposure of Data Element to Wrong Session) affecting the open-source project management software OpenProject. The flaw exists in the session management functionality where users can view and delete their active sessions via the Account Settings interface. The vulnerability arises because the DELETE endpoint for sessions (`DELETE /my/sessions/:id`) does not properly verify that the session ID being deleted belongs to the authenticated user. Since session IDs are incremental integers, an attacker can enumerate session IDs and delete sessions belonging to other users, effectively logging them out. This unauthorized session termination does not expose sensitive session data such as IP addresses or browser identifiers, but it impacts availability by disrupting user sessions. The vulnerability requires no special permissions or user interaction, making it easier to exploit remotely. The issue was patched in OpenProject versions 16.6.5 and 17.0.1. The CVSS v3.1 score is 6.5 (medium), reflecting network attack vector, low complexity, no privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, but high impact on availability. No known exploits have been reported in the wild, and no temporary mitigations are available other than upgrading to fixed versions.
Potential Impact
For European organizations using vulnerable OpenProject versions, this vulnerability can lead to denial-of-service conditions by allowing attackers to forcibly log out legitimate users. This disruption can affect productivity, especially in environments relying heavily on OpenProject for project management and collaboration. Although no confidential information is exposed, the forced session termination could be leveraged in targeted attacks to disrupt workflows or as part of a broader attack strategy. Organizations with many users or critical projects managed via OpenProject may experience operational impacts. Additionally, repeated forced logouts could lead to user frustration and potential loss of trust in the platform's reliability. Since the vulnerability requires no authentication or user interaction, it poses a moderate risk if the OpenProject instance is exposed to untrusted networks or the internet.
Mitigation Recommendations
The primary and only effective mitigation is to upgrade OpenProject installations to version 16.6.5 or 17.0.1 or later, where the session ownership verification flaw is fixed. Organizations should audit their OpenProject versions and prioritize patching vulnerable instances. If immediate patching is not feasible, restricting access to the OpenProject web interface via network controls such as VPNs, IP whitelisting, or web application firewalls can reduce exposure. Monitoring web server logs for unusual DELETE requests to the sessions endpoint may help detect exploitation attempts. Additionally, implementing multi-factor authentication and session timeout policies can reduce the window of opportunity for attackers. Regular backups and incident response plans should be in place to quickly recover from any disruption caused by forced logouts.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-14T16:08:37.484Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 696e705dd302b072d9cf6544
Added to database: 1/19/2026, 5:56:45 PM
Last enriched: 1/26/2026, 8:10:38 PM
Last updated: 2/7/2026, 10:13:46 AM
Views: 75
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2080: Command Injection in UTT HiPER 810
HighCVE-2026-2079: Improper Authorization in yeqifu warehouse
MediumCVE-2026-1675: CWE-1188 Initialization of a Resource with an Insecure Default in brstefanovic Advanced Country Blocker
MediumCVE-2026-1643: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ariagle MP-Ukagaka
MediumCVE-2026-1634: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in alexdtn Subitem AL Slider
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.