CVE-2026-52779 is an authorization bypass vulnerability in OpenProject's Calendar and Team Planner modules affecting versions before 17.3.3 and 17.4.1. The vulnerability occurs due to a mismatch in authorization checks: the system authorizes actions against the project identified by :project_id in the URL, but subsequently loads the Query object by :id from Query.visible(current_user) without verifying that the Query belongs to the authorized project. This allows a user with management permissions in one project to delete public queries from another project where they lack such permissions, causing integrity and limited availability impacts. The vulnerability is addressed in OpenProject versions 17.3.3 and 17.4.1.

An attacker with management permissions in one project can delete shared public Calendar or Team Planner queries from other projects where they do not have management permissions. This results in integrity impact by unauthorized deletion of shared views and limited availability impact for users depending on those views. There is no confidentiality impact reported. The CVSS v3.1 score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and limited availability impact.

This vulnerability is fixed in OpenProject versions 17.3.3 and 17.4.1. Users should upgrade to at least these versions to remediate the issue. There is no vendor advisory indicating alternative mitigations or that no action is required. Patch status is confirmed by the version fix information in the description.