CVE-2026-23646
📋 TL;DR
OpenProject versions before 16.6.5 and 17.0.1 contain a session management vulnerability where users can delete other users' active sessions. This allows authenticated users to forcibly log out other users by iterating through predictable session IDs. All OpenProject instances running vulnerable versions are affected.
💻 Affected Systems
- OpenProject
📦 What is this software?
Openproject by Openproject
Openproject by Openproject
⚠️ Risk & Real-World Impact
Worst Case
Mass user logout causing widespread service disruption, potential data loss for users with unsaved work, and denial of service for legitimate users.
Likely Case
Targeted user logout causing temporary access disruption, user frustration, and potential productivity impact.
If Mitigated
Minimal impact with proper monitoring and quick incident response to identify malicious session deletion patterns.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial - attackers can iterate through predictable integer session IDs via DELETE requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.6.5 or 17.0.1
Vendor Advisory: https://github.com/opf/openproject/security/advisories/GHSA-w422-xf8f-v4vp
Restart Required: Yes
Instructions:
1. Backup your OpenProject instance and database. 2. Update to OpenProject 16.6.5 (for 16.x branch) or 17.0.1 (for 17.x branch). 3. Restart the OpenProject service. 4. Verify the update was successful.
🔧 Temporary Workarounds
No workarounds available
allThe vulnerability cannot be mitigated through configuration changes or temporary workarounds according to the advisory.
🧯 If You Can't Patch
- Implement strict rate limiting on DELETE /my/sessions/:id endpoints to prevent mass session deletion
- Deploy network monitoring to detect patterns of sequential session ID deletion attempts
🔍 How to Verify
Check if Vulnerable:
Check OpenProject version via web interface admin panel or by examining the application version files.Check Version:
Check OpenProject version via: `openproject run bundle exec rails runner "puts OpenProject::VERSION.to_s"` or via web interface at /admin/infoVerify Fix Applied:
Verify the version is 16.6.5 or higher (for 16.x) or 17.0.1 or higher (for 17.x) and test that session deletion properly validates ownership.📡 Detection & Monitoring
Log Indicators:
- Multiple DELETE requests to /my/sessions/ with sequential IDs from same user
- Unusual pattern of user logout events
Network Indicators:
- Burst of DELETE requests to session endpoints
- Sequential ID patterns in HTTP requests
SIEM Query:
source="openproject" AND (uri_path="/my/sessions/*" AND http_method="DELETE") | stats count by src_ip, uri_path | where count > 10