An IDOR vulnerability in OpenProject enables authenticated project administrators to perform unauthorized cross-project folder access and data manipulation, warranting a critical severity rating.

The vulnerability is an IDOR flaw found in the project storage settings. By manipulating the storages_project_storage[project_folder_id] parameter, an attacker with project-admin privileges in one project can hijack the folder storage of a different project, ultimately causing the system to overwrite folder ACLs with the attacker's user list.

With a CVSS score of 9.9, this vulnerability represents a severe threat to data confidentiality and integrity. The ability to hijack storage folders allows an attacker to gain unauthorized access to sensitive project documents or inadvertently restrict legitimate users from their own files, creating a significant risk to organizational project management security.

Immediate Action: Upgrade to OpenProject version 17.3.3 or 17.4.1 as specified in the vendor security advisory.

Proactive Monitoring: Review application access logs for unusual PATCH requests directed at the project storage settings endpoint.

Compensating Controls: Restrict administrative privileges to trusted personnel and verify folder access permissions until the update can be applied.

Public Exploit Available: Not specified

This vulnerability highlights a major failure in cross-project isolation, potentially allowing for internal data leakage or sabotage. Administrators must apply the security patches immediately to restore proper access control boundaries and prevent further risk of unauthorized folder manipulation.