CVE-2026-27723 is an improper access control vulnerability classified under CWE-284 affecting OpenProject, a widely used open-source project management platform. The vulnerability exists in versions prior to 17.0.5 and 17.1.2, where an attacker with authenticated access but limited privileges can create wiki pages in projects they are not authorized to access. This occurs due to insufficient authorization checks on the creation of wiki pages, allowing privilege escalation within the application context. The attacker does not require user interaction and can exploit the vulnerability remotely over the network. The CVSS v3.1 score is 4.3 (medium), reflecting the limited impact on confidentiality and availability but a partial impact on integrity. Specifically, the attacker can inject unauthorized content into project documentation, potentially misleading project members or corrupting project data integrity. The vulnerability has been addressed in OpenProject versions 17.0.5 and 17.1.2 by enforcing proper access control mechanisms on wiki page creation. No public exploits or active exploitation have been reported, but the vulnerability poses a risk to organizations relying on vulnerable versions of OpenProject for project collaboration and documentation.

The primary impact of CVE-2026-27723 is on the integrity of project data within OpenProject environments. Unauthorized creation of wiki pages in unpermitted projects can lead to misinformation, unauthorized content injection, and potential disruption of project workflows. While confidentiality and availability remain unaffected, the integrity compromise could undermine trust in project documentation and collaboration. For organizations relying heavily on OpenProject for managing sensitive or critical projects, this vulnerability could facilitate insider threats or lateral movement by malicious actors with limited privileges. The risk is heightened in large organizations with multiple projects and complex access controls, where unauthorized content could go unnoticed and cause operational confusion or reputational damage. However, the requirement for authenticated access limits exposure to external unauthenticated attackers. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future exploitation.

To mitigate CVE-2026-27723, organizations should immediately upgrade OpenProject to versions 17.0.5 or 17.1.2 or later, where the vulnerability is patched. In addition to patching, administrators should audit user permissions and project access controls to ensure that users have the minimum necessary privileges. Implement strict role-based access control (RBAC) policies and regularly review project membership and permissions to prevent privilege escalation opportunities. Monitoring and logging wiki page creation activities can help detect unauthorized attempts to create content in unpermitted projects. Employ network segmentation and access restrictions to limit exposure of OpenProject instances to trusted users only. For environments where immediate patching is not feasible, consider temporary compensating controls such as disabling wiki page creation for lower-privileged users or restricting access to sensitive projects. Finally, maintain an incident response plan to address potential misuse of the vulnerability and educate users about the importance of reporting suspicious activities.