CVE-2026-24777
📋 TL;DR
OpenProject versions before 17.0.2 contain a missing authorization vulnerability where users with 'Manage Users' permission can lock application administrators, which should be restricted. This allows privilege escalation and potential denial of service against administrative accounts. All OpenProject instances with users granted 'Manage Users' permission are affected.
💻 Affected Systems
- OpenProject
📦 What is this software?
Openproject by Openproject
⚠️ Risk & Real-World Impact
Worst Case
Malicious user locks all administrators, causing complete loss of administrative access and potential service disruption until manual recovery.
Likely Case
Disgruntled employee or compromised account locks specific administrators to disrupt operations or facilitate further attacks.
If Mitigated
Limited impact if proper user permission reviews and monitoring are in place, with quick administrative recovery procedures.
🎯 Exploit Status
Exploitation requires authenticated user with 'Manage Users' permission. No special tools or skills needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.0.2
Vendor Advisory: https://github.com/opf/openproject/security/advisories/GHSA-fq66-cwg6-qq69
Restart Required: Yes
Instructions:
1. Backup your OpenProject instance and database. 2. Update to OpenProject 17.0.2 using your package manager or deployment method. 3. Restart the OpenProject service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Remove Manage Users Permission
allTemporarily remove 'Manage Users' permission from all non-administrative users until patching can be completed.
# Use OpenProject web interface: Admin -> Roles & Permissions -> Edit role -> Uncheck 'Manage Users'
🧯 If You Can't Patch
- Implement strict user permission reviews and remove 'Manage Users' from unnecessary accounts
- Enable detailed logging of user lock/unlock actions and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check OpenProject version via web interface (Admin -> Information) or command line. If version is below 17.0.2, system is vulnerable.Check Version:
openproject run bundle exec rails runner "puts OpenProject::VERSION.to_s"Verify Fix Applied:
After updating, verify version is 17.0.2 or higher and test that users with 'Manage Users' permission cannot lock administrators.📡 Detection & Monitoring
Log Indicators:
- User lock events targeting administrative accounts
- Multiple lock attempts in short time period
Network Indicators:
- API calls to user lock endpoints from non-administrative accounts
SIEM Query:
source="openproject" AND (event="user_locked" OR event="user_unlocked") AND target_user_role="admin"