CVE-2026-27723 is classified under CWE-284 (Improper Access Control) and affects OpenProject, a widely used open-source project management software. The vulnerability arises from insufficient authentication checks that allow an attacker with some level of authenticated access (PR:L - privileges required) to create wiki pages in projects for which they lack explicit permissions. This improper access control flaw enables unauthorized data modification, specifically the creation of wiki content in unpermitted projects. The vulnerability does not impact confidentiality or availability but compromises data integrity by allowing unauthorized content injection. The CVSS v3.1 score is 4.3 (medium), reflecting that the attack vector is network-based (AV:N), requires low attack complexity (AC:L), privileges (PR:L), no user interaction (UI:N), and has unchanged scope (S:U). The issue was addressed in OpenProject versions 17.0.5 and 17.1.2 by enforcing stricter permission checks on wiki page creation requests. No public exploits have been reported, indicating limited active exploitation. However, the vulnerability poses a risk to organizations relying on OpenProject for collaborative documentation and project tracking, as unauthorized wiki pages could mislead teams or disrupt project integrity.

The primary impact of CVE-2026-27723 is the unauthorized modification of project documentation through the creation of wiki pages in projects where the attacker lacks permission. This can lead to misinformation, confusion, and potential disruption of project workflows, undermining trust in project data integrity. While confidentiality and availability remain unaffected, the integrity compromise can have cascading effects on decision-making and project outcomes. Organizations using vulnerable OpenProject versions may face risks of insider threats or compromised accounts being leveraged to inject misleading or malicious content. This can be particularly damaging in environments where project documentation is critical for compliance, auditing, or operational continuity. The lack of known exploits reduces immediate risk, but the ease of exploitation (low complexity, network accessible) means that attackers could develop exploits if motivated. Overall, the threat could impact project management efficiency and organizational trust in collaborative tools.

To mitigate CVE-2026-27723, organizations should promptly upgrade OpenProject installations to versions 17.0.5 or 17.1.2 or later, where the vulnerability has been patched. Beyond patching, administrators should audit user roles and permissions to ensure that only authorized users have access to create or modify wiki pages within projects. Implementing strict role-based access control (RBAC) policies and regularly reviewing permission assignments can reduce the risk of privilege misuse. Monitoring logs for unusual wiki page creation activity can help detect potential exploitation attempts. Additionally, consider deploying web application firewalls (WAFs) with custom rules to detect and block unauthorized API requests related to wiki page creation. Educating users about the importance of account security and enforcing strong authentication mechanisms (e.g., MFA) can further reduce the risk of compromised credentials being used to exploit this vulnerability.