CVE-2026-24777 is a vulnerability classified under CWE-862 (Missing Authorization) affecting OpenProject, an open-source web-based project management software. In versions prior to 17.0.2, users granted the Manage Users permission could lock and unlock user accounts, including those of application administrators, due to a missing permission check. Normally, locking or unlocking administrator accounts should be restricted to prevent privilege abuse or denial of service against critical user accounts. The vulnerability arises because the software failed to enforce authorization logic that excludes administrators from being locked by users with Manage Users rights. Exploiting this flaw requires the attacker to already have Manage Users privileges, which implies a high level of access, but no additional user interaction is needed. The impact includes potential denial of service by locking administrator accounts, disruption of administrative functions, and possible escalation paths if administrators are locked out. The flaw was addressed and fixed in OpenProject version 17.0.2 by adding the necessary authorization checks. The CVSS v3.1 score is 6.7 (medium severity) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H, indicating network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, low confidentiality impact, high integrity and availability impact. No known exploits are reported in the wild as of the publication date.

For European organizations using OpenProject versions prior to 17.0.2, this vulnerability poses a risk of operational disruption by allowing privileged users to lock administrator accounts improperly. This can lead to denial of service for administrators, impacting the integrity and availability of project management workflows and potentially delaying critical projects. Although exploitation requires high privileges, insider threats or compromised accounts with Manage Users permission could leverage this flaw to disrupt administrative control. The confidentiality impact is low, but the integrity and availability impacts are high, which can affect business continuity and governance. Organizations in sectors relying heavily on project management tools, such as IT, engineering, and public administration, may experience significant operational challenges. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially in environments with multiple privileged users. Failure to patch could also increase risk if attackers combine this vulnerability with other attack vectors to escalate privileges or cause broader disruptions.

The primary mitigation is to upgrade OpenProject installations to version 17.0.2 or later, where the missing authorization check has been implemented. Organizations should audit and restrict the Manage Users permission to only trusted personnel, minimizing the number of users who can exploit this vulnerability. Implement role-based access control (RBAC) policies to enforce the principle of least privilege. Monitor user account lock/unlock activities for unusual patterns that could indicate abuse. Employ multi-factor authentication (MFA) for accounts with elevated privileges to reduce the risk of credential compromise. Regularly review and update security policies related to user management in OpenProject. In environments where immediate upgrade is not feasible, consider temporary compensating controls such as manual oversight of user lock/unlock actions or disabling the Manage Users permission where possible. Maintain up-to-date backups of user and project data to enable recovery in case of disruption.