CVE-2026-27723
📋 TL;DR
OpenProject versions before 17.0.5 and 17.1.2 contain an improper authentication vulnerability that allows attackers to create wiki pages in projects they shouldn't have access to. This affects all OpenProject installations running vulnerable versions. The issue stems from insufficient access controls on wiki page creation requests.
💻 Affected Systems
- OpenProject
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could create malicious wiki pages in sensitive projects, potentially embedding phishing links, malware, or inappropriate content that appears legitimate to project members.
Likely Case
Unauthorized users create wiki pages in projects they shouldn't access, potentially leaking sensitive information or disrupting project workflows through inappropriate content.
If Mitigated
With proper access controls and monitoring, unauthorized wiki creation attempts would be blocked and logged for investigation.
🎯 Exploit Status
Exploitation requires authenticated access but bypasses project-level permissions. The advisory suggests the vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 17.0.5 or 17.1.2
Vendor Advisory: https://github.com/opf/openproject/security/advisories/GHSA-9gc6-3xjq-pwc9
Restart Required: Yes
Instructions:
1. Backup your OpenProject installation and database. 2. Update to OpenProject 17.0.5 (for 17.0.x branch) or 17.1.2 (for 17.1.x branch). 3. Restart the OpenProject service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable Wiki Module
allTemporarily disable wiki functionality until patching is possible
# Modify OpenProject configuration to disable wiki module
# Specific commands depend on installation method (Docker, package, source)
Restrict User Permissions
allTighten user permissions to minimize attack surface
# Review and restrict user roles and permissions in OpenProject admin interface
# Ensure users only have necessary project access
🧯 If You Can't Patch
- Implement strict access controls and monitor for unauthorized wiki page creation attempts
- Disable wiki functionality for non-essential projects and users
🔍 How to Verify
Check if Vulnerable:
Check OpenProject version via admin interface or by examining the application metadata. Versions below 17.0.5 or 17.1.2 are vulnerable.Check Version:
Check OpenProject admin dashboard or run appropriate command based on installation method (e.g., docker inspect, package manager query, or check application files)Verify Fix Applied:
After updating, verify the version shows 17.0.5 or 17.1.2 or higher. Test that authenticated users cannot create wiki pages in projects they lack permissions for.📡 Detection & Monitoring
Log Indicators:
- Unauthorized wiki creation attempts in application logs
- Wiki page creation events from users without proper project permissions
Network Indicators:
- HTTP POST requests to wiki creation endpoints from unauthorized users
SIEM Query:
source="openproject.log" AND "wiki" AND "create" AND user NOT IN [authorized_users_for_project]