What is CVE-2026-23646?

CVE-2026-23646 is a medium-severity vulnerability in Opf Openproject, classified under CWE-488. CVSS score: 6.5/10. Published 2026-01-19.

How severe is CVE-2026-23646?

Medium severity. CVSS v3 base score is 6.5 out of 10.

Vulnerability in Opf Openproject

CVE-2026-23646

OpenProject is an open-source, web-based project management software. Users of OpenProject versions prior to 16.6.5 and 17.0.1 have the ability to view and end their active sessions via Account Settings → Sessions. When deleting a session…

EPSS: 0.001 (19.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Affected products

Opf Openproject — versions < 16.6.5, = 17.0.0

Weakness classification (CWE)

CWE-488

References

https://github.com/opf/openproject/security/advisories/GHSA-w422-xf8f-v4vp (x_refsource_CONFIRM)
https://github.com/opf/openproject/releases/tag/v16.6.5 (x_refsource_MISC)
https://github.com/opf/openproject/releases/tag/v17.0.1 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-23646?: CVE-2026-23646 is a medium-severity vulnerability in Opf Openproject, classified under CWE-488. CVSS score: 6.5/10. Published 2026-01-19.
How severe is CVE-2026-23646?: Medium severity. CVSS v3 base score is 6.5 out of 10.