OpenProject is an open-source, web-based project management tool used to manage projects, budgets, and labor costs. In versions prior to 17.2.0, a critical authorization check was missing when users edited project budgets and planned labor costs. Specifically, the application did not verify whether the user whose labor cost rate was being accessed or calculated was actually a member of the project. This flaw exists in two key areas: the budget editing interface and the backend endpoint responsible for pre-calculating cost previews shown on the frontend. As a result, unauthorized users could view the default labor cost rates of non-members, exposing potentially sensitive financial information. The vulnerability is classified under CWE-863 (Incorrect Authorization), indicating that access control policies were not properly enforced. The CVSS 3.1 base score is 4.3 (medium severity), reflecting that the vulnerability allows information disclosure (confidentiality impact) but does not affect integrity or availability. Exploitation requires at least some privileges (PR:L) but no user interaction (UI:N), and the attack can be performed remotely (AV:N). There are no known exploits in the wild as of the publication date. The issue was addressed and fixed in OpenProject version 17.2.0 by adding proper membership validation checks before allowing access to labor cost rates and calculations.

The primary impact is unauthorized disclosure of sensitive financial information, specifically the default labor cost rates of users who are not project members. This could lead to privacy violations and potentially give competitors or malicious insiders insight into project budgeting and labor cost structures. While the vulnerability does not allow modification of data or disruption of service, the exposure of cost rates could undermine trust and confidentiality within organizations. For companies relying on OpenProject for sensitive project management, this could result in reputational damage or internal compliance issues. Since exploitation requires some level of authenticated access, the risk is limited to users with at least basic privileges but not necessarily project membership. The scope is limited to organizations using vulnerable OpenProject versions prior to 17.2.0, which may include enterprises, government agencies, and NGOs that rely on this software for project budgeting and labor planning.

Organizations should upgrade OpenProject installations to version 17.2.0 or later, where the vulnerability is fixed. Until upgrading is possible, administrators should restrict access to project budget editing features to trusted users only and review user roles to minimize unnecessary privileges. Monitoring and auditing access logs for unusual budget editing or cost calculation requests can help detect potential exploitation attempts. Additionally, organizations can implement network-level controls to limit access to the OpenProject instance to authorized personnel. Applying the principle of least privilege to user accounts and ensuring that only legitimate project members have access to sensitive budget information will reduce exposure. Finally, educating users about the importance of reporting unexpected access to cost data can aid early detection.