CVE-2026-23721 - Vulnerability Details

- OpenProject users with "View Members" permission in any project can view all Group memberships

Description

OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of. Prior to versions 17.0.1 and 16.6.5, due to a failed permission check, if a user had the View Members permission in any project, they could enumerate all Groups and view which other users are part of the group. The issue has been fixed in OpenProject 17.0.1 and 16.6.5. No known workarounds are available.

Published: 2026-01-19

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

OpenProject users who have been granted the View Members permission in any project can enumerate all groups and view the membership list of each group. The flaw is a failed permissions check that exposes group membership data that should be hidden from such users. This is an instance of missing permissions (CWE‑862) and enables the disclosure of user identities and group structures, potentially aiding social engineering or targeted attacks.

Affected Systems

Versions of OpenProject earlier than 17.0.1 and 16.6.5 are affected. Users running OpenProject 16.x (up to 16.6.4) or 17.0.0 receive the vulnerability. The issue is tied to group usage and the View Members permission across any project.

Risk and Exploitability

The vulnerability has an overall CVSS score of 4.3 and an EPSS score of less than 1 %. It is not listed in the CISA KEV catalog, indicating no publicly known exploits. An attacker must possess a valid account with View Members permission in at least one project; with that access, enumeration of all groups and their members is straightforward. The impact is limited to information disclosure but can aid further attacks if attacker leverages the collected data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

opf

openproject

affected

Version	Status	Constraints
`< 16.6.5`	affected	—
`= 17.0.0`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:openproject:openproject::::::::
	cpe:2.3:a:openproject:openproject:17.0.0:::::::*

No data.

Vendor	Product	Confidence	Versions
Openproject	Openproject	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to OpenProject 17.0.1 or 16.6.5 (or newer) to apply the fix.
Review user accounts to ensure that only trusted personnel are granted the View Members permission, and remove the permission from accounts that do not need it.
Conduct an audit of group membership visibility and adjust access controls to limit exposure of member lists.

Generated by OpenCVE AI on April 18, 2026 at 05:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0004.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/opf/openproject/security/advisories/GHSA-vj77-wrc2-5h5h

History

Mon, 02 Feb 2026 20:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:openproject:openproject:::::::: cpe:2.3:a:openproject:openproject:17.0.0:::::::*

Tue, 20 Jan 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openproject Openproject openproject
Vendors & Products		Openproject Openproject openproject

Mon, 19 Jan 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of. Prior to versions 17.0.1 and 16.6.5, due to a failed permission check, if a user had the View Members permission in any project, they could enumerate all Groups and view which other users are part of the group. The issue has been fixed in OpenProject 17.0.1 and 16.6.5. No known workarounds are available.
Title		OpenProject users with "View Members" permission in any project can view all Group memberships
Weaknesses		CWE-862
References		https://github.com/opf/openproject/security/advisories/GHSA-vj77-wrc2-5h5h
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Openproject Openproject

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-19T17:52:35.307Z

Updated: 2026-01-20T14:51:21.936Z

Reserved: 2026-01-15T15:45:01.955Z

Link: CVE-2026-23721

Vulnrichment

Updated: 2026-01-20T14:51:17.311Z

NVD

Status : Analyzed

Published: 2026-01-19T18:16:05.730

Modified: 2026-02-02T20:44:39.410

Link: CVE-2026-23721

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T05:15:15Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object