Description
OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, the user does not have access to. This issue has been patched in version 16.6.3.
Published: 2026-01-10
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Insecure Direct Object Reference exposing meeting details
Action: Patch
AI Analysis

Impact

OpenProject versions before 16.6.3 allow any user who has the View Meetings permission in a project to view the details of meetings belonging to projects that the user does not have access to. The vulnerability is an Insecure Direct Object Reference (CWE‑284), which permits unauthorized disclosure of meeting information.

Affected Systems

The affected products are OpenProject itself. All installations running OpenProject before version 16.6.3 are susceptible, regardless of minor patch levels. Users of the open‑source project management application should check their installed version and apply the recommended upgrade if they are on any earlier release.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk level. The EPSS score of <1% shows a low likelihood that the vulnerability is being actively exploited, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires an authenticated account that possesses the View Meetings privilege; once accessed, the attacker can retrieve meeting metadata and potentially sensitive content belonging to other projects.

Generated by OpenCVE AI on April 18, 2026 at 07:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenProject to version 16.6.3 or later, which contains a fix for the IDA.
  • Revoke or restrict the View Meetings permission for users who should not be able to access meetings in projects where they have no other privileges.
  • Conduct an audit of existing permission assignments in OpenProject to enforce the principle of least privilege across all projects.

Generated by OpenCVE AI on April 18, 2026 at 07:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 22:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*

Mon, 12 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Openproject
Openproject openproject
Vendors & Products Openproject
Openproject openproject

Sat, 10 Jan 2026 01:45:00 +0000

Type Values Removed Values Added
Description OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, the user does not have access to. This issue has been patched in version 16.6.3.
Title OpenProject is Vulnerable to Insecure Direct Object Reference in Meetings
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Openproject Openproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-12T19:15:27.143Z

Reserved: 2026-01-07T21:50:39.533Z

Link: CVE-2026-22605

cve-icon Vulnrichment

Updated: 2026-01-12T19:15:24.629Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-10T02:15:49.487

Modified: 2026-01-14T22:27:55.377

Link: CVE-2026-22605

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:30:36Z

Weaknesses