OpenProject is an open-source web-based project management tool widely used for collaborative project planning and tracking. In versions prior to 17.2.0, a critical flaw exists in the handling of budget deletions related to work packages. When a budget is deleted, the system must reassign any work packages linked to that budget to a different budget. However, this reassignment occurs before the application performs the permission check for the delete action. As a result, any authenticated user, regardless of their authorization level, can delete work package budget assignments. This is a classic case of incorrect authorization (CWE-863), where the sequence of operations allows bypassing of intended access controls. The vulnerability has a CVSS v3.1 score of 6.5, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N). The impact is limited to integrity (I:H) with no confidentiality or availability impact. There are no known exploits in the wild as of the publication date. The issue is resolved in OpenProject version 17.2.0, where permission checks are correctly enforced before any budget deletion or reassignment occurs.

The primary impact of this vulnerability is on data integrity within project management workflows. Unauthorized users can delete budget assignments for work packages, potentially causing inaccurate budget tracking, misallocation of resources, and disruption of financial oversight. This can lead to project delays, incorrect reporting, and loss of trust in project data. While confidentiality and availability are not directly affected, the integrity compromise can have cascading effects on decision-making and project outcomes. Organizations relying on OpenProject for budget and resource management are at risk of internal sabotage or accidental data corruption by users without proper permissions. This could be particularly damaging in environments with multiple collaborators or where budget data is sensitive for compliance or auditing purposes.

To mitigate this vulnerability, organizations should upgrade OpenProject to version 17.2.0 or later, where the authorization checks are properly enforced. Until the upgrade can be applied, administrators should restrict access to the budget deletion functionality to trusted users only, possibly by limiting user roles or applying network-level access controls. Monitoring and auditing user actions related to budget and work package modifications can help detect unauthorized activities. Additionally, implementing strict role-based access control (RBAC) policies and regularly reviewing user permissions can reduce the risk of exploitation. Organizations should also ensure that backups of project data are maintained to recover from any unauthorized changes. Finally, educating users about the importance of access controls and promptly applying security patches are critical best practices.