External risk intelligence

OpenProject IDOR Allows Project Admins to Hijack Other Projects' Cloud Storage Folders.

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-52782

OpenProject is a web-based project management application designed for team collaboration. Such applications are commonly deployed as internet-facing web services to allow distributed teams and external stakeholders access to project resources, placing the administrative and project management endpoints within reach of the public internet.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory highlights a critical vulnerability in OpenProject, a web-based project management system. The issue allows a project administrator to gain unauthorized access to another project's managed cloud storage folders, potentially exposing or modifying sensitive project data.

  • Project admin can access another project's cloud storage.
  • Matters for data control and potential unauthorized access.
  • Confirm if OpenProject is in use and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker with project-admin privileges in one OpenProject project can gain unauthorized access to another project's managed cloud storage. By manipulating a specific parameter, the attacker can associate their project with another project's cloud storage folder. This action overwrites the access controls for that folder, allowing the attacker's project members to access files that should have been restricted.

  • Requires project administrator access.
  • Manipulates project storage settings.
  • Leads to unauthorized resource access.

Live Threat

Current exploitation, exposure, and threat context

An authenticated project administrator could gain unauthorized access to another project's managed cloud storage folders. This occurs when a project admin manipulates project storage settings to associate their project with another project's folder. When the system synchronizes managed folders, it could overwrite access controls, exposing the victim project's folder to the attacker's project's user list.

  • Unauthorized access to project storage folders.
  • IDOR vulnerability in project storage settings.
  • Compromised access controls for cloud storage.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts OpenProject deployments that manage external storage like Nextcloud or OneDrive. The first step is to identify all instances of OpenProject, determine which are exposed externally, confirm their criticality, and identify the accountable system or application owner. Remediation planning should then be prioritized based on this risk assessment.

  • Application owners should manage the issue.
  • Verify external storage integration reachability.
  • Plan coordinated storage folder remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is OpenProject?

OpenProject is a web-based, open-source software platform used by teams for collaborative project management. It includes features for tracking tasks, planning schedules, and integrating with external cloud storage services like Nextcloud and OneDrive to centralize project documentation and files.

What is the vulnerability in CVE-2026-52782?

This vulnerability is classified as an Insecure Direct Object Reference (CWE-639). It occurs when the software does not properly verify if a user has permission to access a specific resource. In this case, it allows an authenticated project administrator to reference and effectively hijack cloud storage folders belonging to a different project.

How does an attacker trigger this CVE-2026-52782 flaw?

An attacker needs existing project-admin privileges within the OpenProject instance to initiate the exploit. By sending a specific PATCH request, they can overwrite the folder association for their project. Simply browsing or viewing the application without admin rights does not trigger this vulnerability.

Who should be concerned about this vulnerability?

Organizations using OpenProject for project management should assess their risk. Halo Surface Signal identifies OpenProject as commonly deployed as an internet-facing service, meaning these administrative endpoints are often reachable from the public internet, potentially increasing the availability of this attack path to malicious actors.

How do I respond to this OpenProject advisory?

The primary step is to upgrade your OpenProject software to versions 17.3.3 or 17.4.1, which contain the security fix. Before applying the update, identify all internal instances of the application, determine which are accessible externally, and coordinate with the system owners to ensure the patch is deployed and the storage integration remains secure.

References