Description
OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably (e.g., 1 to 1000), an attacker can extract a complete list of all users’ full names by iterating through these URLs. The same behavior can also be reproduced via the OpenProject API, allowing automated retrieval of full names through the API as well. This issue has been patched in version 16.6.2. Those who are unable to upgrade may apply the patch manually.
Published: 2026-01-10
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: User Enumeration via User ID
Action: Patch
AI Analysis

Impact

A low‑privileged logged‑in user can view the full names of other users. Because the system assigns user IDs sequentially, an attacker can iterate through numerical URLs or API endpoints to enumerate every user. This results in an information disclosure weakness (CWE‑200) that reveals full names to anyone with a basic account, potentially compromising personal privacy within the organization.

Affected Systems

The flaw affects all installations of OpenProject released before version 16.6.2. Those running the open‑source web‑based project management software at any environment—on‑premises or hosted—are susceptible if they have not applied the fix. The patch is bundled in the v16.6.2 release and is also available as a manual patch for environments that cannot upgrade immediately.

Risk and Exploitability

The CVSS base score is 3.5, indicating low severity, and the EPSS score is less than 1 %, suggesting limited current exploitation likelihood. The vulnerability is not listed in CISA’s KEV catalog. An attacker who is authenticated as a low‑privilege user can enumerate all other users by sending repeated requests to predictable URLs or API calls, enabling automated harvesting of personal data.

Generated by OpenCVE AI on April 18, 2026 at 07:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenProject to version 16.6.2 or newer where the enumeration issue is fixed.
  • If an upgrade is not possible, apply the manual patch referenced in the security advisory to restrict or randomize user ID exposure.
  • Disable or restrict direct user ID access in web routes and API endpoints, or enforce stricter access controls so that only administrators can view full names.

Generated by OpenCVE AI on April 18, 2026 at 07:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 22:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*

Tue, 13 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Openproject
Openproject openproject
Vendors & Products Openproject
Openproject openproject

Sat, 10 Jan 2026 01:45:00 +0000

Type Values Removed Values Added
Description OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably (e.g., 1 to 1000), an attacker can extract a complete list of all users’ full names by iterating through these URLs. The same behavior can also be reproduced via the OpenProject API, allowing automated retrieval of full names through the API as well. This issue has been patched in version 16.6.2. Those who are unable to upgrade may apply the patch manually.
Title OpenProject is Vulnerable to User Enumeration via User ID
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Openproject Openproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-13T20:07:25.275Z

Reserved: 2026-01-07T21:50:39.533Z

Link: CVE-2026-22602

cve-icon Vulnrichment

Updated: 2026-01-13T20:07:22.747Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-10T02:15:49.057

Modified: 2026-01-14T22:26:18.717

Link: CVE-2026-22602

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:30:36Z

Weaknesses