CVE-2026-23646 is a vulnerability classified under CWE-488 (Exposure of Data Element to Wrong Session) affecting OpenProject, an open-source web-based project management software. The flaw exists in versions prior to 16.6.5 and version 17.0.0, where users can view and manage their active sessions via the Account Settings interface. When a user attempts to delete a session using the DELETE /my/sessions/:id endpoint, the system fails to verify that the session ID belongs to the requesting user. Because session IDs are assigned as incremental integers, an authenticated user can iterate through session IDs and delete sessions belonging to other users, effectively forcing them to be logged out. Importantly, this vulnerability does not expose sensitive session data such as IP addresses or browser identifiers. The impact is primarily on availability, as it allows denial of service against user sessions. The vulnerability requires authentication but no additional privileges or user interaction. The issue was patched in OpenProject versions 16.6.5 and 17.0.1. There are no known workarounds, and no exploits have been reported in the wild as of the publication date. The CVSS v3.1 base score is 6.5, reflecting medium severity with network attack vector, low attack complexity, and no confidentiality or integrity impact but high availability impact.

For European organizations using vulnerable versions of OpenProject, this vulnerability poses a risk of denial of service against user sessions, potentially disrupting project management workflows and collaboration. Attackers with valid user credentials can forcibly log out other users, which could be exploited to cause operational interruptions or targeted disruption of key personnel. While no sensitive data is exposed, the forced session termination could lead to loss of unsaved work or hinder timely access to project resources. Organizations relying heavily on OpenProject for critical project coordination may experience productivity degradation. Additionally, repeated exploitation could erode user trust in the platform’s reliability. The impact is more pronounced in environments with many concurrent users or where session continuity is critical. Since exploitation requires authentication, insider threats or compromised accounts are the most likely vectors. The absence of known exploits reduces immediate risk, but the availability of incremental session IDs makes exploitation straightforward once credentials are obtained.

European organizations should immediately upgrade OpenProject installations to version 16.6.5 or 17.0.1 or later, where the vulnerability is patched. As no workarounds exist, patching is the primary mitigation. Organizations should also enforce strong authentication controls to reduce the risk of credential compromise, including multi-factor authentication (MFA) where possible. Monitoring and alerting on unusual session deletion activity can help detect exploitation attempts. Limiting user permissions to only necessary roles may reduce the attack surface, although this vulnerability requires only authenticated user status. Regularly auditing session management logs and educating users about the risks of credential sharing can further mitigate risk. For environments where immediate patching is not feasible, consider isolating OpenProject access to trusted networks and employing web application firewalls (WAFs) to detect and block suspicious DELETE requests targeting session endpoints. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential disruptions.