Unrated

IDOR in OpenProject project storage settings allows cross-project folder hijack

IdentifiersCVE-2026-52782CWE-639

CVE-2026-52782 is an insecure direct object reference vulnerability in OpenProject affecting versions prior to 17.3.3 and 17.4.1. The flaw exists in the PATCH handling of the /projects/<A>/settings/project_storages/<A_ps_id> endpoint via the storages_project_storage[project_folder_id] parameter. A project administrator for one project can supply the project_folder_id belonging to another project that uses the same backing storage integration, causing the attacker-controlled Storages::ProjectStorage association to reference the victim project’s managed folder. On the next managed-folder synchronization, OpenProject updates the referenced Nextcloud or OneDrive folder ACLs using the attacker project’s membership, resulting in unauthorized reassignment of access to the victim folder.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a project administrator in one OpenProject project to hijack another project’s managed Nextcloud or OneDrive folder on the same storage backend. The practical impact is unauthorized access to resources belonging to the victim project and unauthorized modification of folder permissions, because the subsequent synchronization overwrites the target folder ACL with the attacker project’s user list. This can expose sensitive project files to unauthorized users and disrupt the victim project’s intended access controls.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrading is not possible, restrict which users have project-admin privileges, especially on projects using shared storage integrations. Closely monitor and audit changes to project storage settings and folder mappings, and review synchronization activity for unexpected ACL changes on managed Nextcloud or OneDrive folders. Where operationally feasible, temporarily disable or limit affected storage integrations or managed-folder synchronization until the fixed version can be deployed.

Remediation

Patch, then assume compromise.

Upgrade OpenProject to version 17.3.3, 17.4.1, or a later fixed release, as the issue is resolved in those versions. After patching, review all configured project storage mappings and verify that project_folder_id associations have not been tampered with. Validate and correct ACLs on managed Nextcloud and OneDrive folders that may have been affected prior to remediation.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

cvefeed high severityNews

Jun 26, 2026

CVE-2026-52782 - OpenProject: IDOR through /projects/<A>/settings/project_storages/<A_ps_id> via PATCH parameter "storages_project_storage[project_folder_id]" leads to Access to Unauthorized Resources

An insecure direct object reference vulnerability in OpenProject that allows a project admin to hijack another project's managed Nextcloud or OneDrive folder on the same storage, leading to unauthorized resource access and ACL overwrite.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-52782

NVD

nvd.nist.gov/vuln/detail/CVE-2026-52782

MITRE CWE · CWE-639

cwe.mitre.org