Description
A flaw has been found in projectsend up to r1945. This impacts an unknown function of the file includes/Classes/Auth.php. Executing a manipulation of the argument ldap_email can lead to observable response discrepancy. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is said to be difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-12
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

A flaw in ProjectSend’s authentication module, specifically in includes/Classes/Auth.php, allows an attacker to manipulate the ldap_email argument and trigger an observable response discrepancy. This response difference can be used to infer the existence of LDAP accounts or confirm authentication states, effectively enabling user enumeration. The vulnerability corresponds to CWE‑203 (Information Exposure Through Logs) and CWE‑204 (Information Exposure Through Non‑Error Messages).

Affected Systems

The affected product is ProjectSend, with all releases up to revision 1945 identified as vulnerable. No specific sub‑versions beyond r1945 are mentioned; later releases are assumed unaffected.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity, while the EPSS score of less than 1% reflects a low overall exploitation probability. The exploit has been published and is considered difficult, suggesting that an attacker would need remote access to the vulnerable endpoint and a high level of technical skill to succeed. The vulnerability is not listed in the CISA KEV catalog, but the existence of a published exploit demonstrates that exploitation is possible in the right circumstances.

Generated by OpenCVE AI on March 18, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a ProjectSend release newer than revision 1945 if one is available.

Generated by OpenCVE AI on March 18, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in projectsend up to r1945. This impacts an unknown function of the file includes/Classes/Auth.php. Executing a manipulation of the argument ldap_email can lead to observable response discrepancy. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is said to be difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title projectsend Auth.php response discrepancy
First Time appeared Projectsend
Projectsend projectsend
Weaknesses CWE-203
CWE-204
CPEs cpe:2.3:a:projectsend:projectsend:*:*:*:*:*:*:*:*
Vendors & Products Projectsend
Projectsend projectsend
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Projectsend Projectsend
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-12T16:51:30.756Z

Reserved: 2026-03-12T09:07:46.937Z

Link: CVE-2026-4045

cve-icon Vulnrichment

Updated: 2026-03-12T16:51:25.254Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T17:16:52.457

Modified: 2026-03-12T21:07:53.427

Link: CVE-2026-4045

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:49:02Z

Weaknesses