OpenProject suffered from an improper access control flaw that permitted anyone to make GET requests to /projects/[projectName]/meetings with a "filters" parameter including "invited_user_id". The server responded differently depending on whether the supplied user ID belonged to a valid account, thereby leaking full user names. The flaw enables an attacker to enumerate all registered users and learn their legitimate usernames, compromising confidentiality. This issue is classified as CWE‑639, a typical account enumeration weakness.

Vulnerable software is the OpenProject project‑management application before version 17.3.2 and version 17.4.0. Users of the open‑source OpenProject platform who have not applied the 17.3.2 or 17.4.0 updates are affected. The known CNA vendor is OpenProject Foundation (opf:openproject).

The CVSS score of 4.3 indicates medium impact, while the EPSS score is unavailable, meaning the predicted exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog, implying no known large‑scale exploits. An attacker can simply construct HTTP GET requests against the exposed endpoint, without needing credentials or special privileges, to determine whether a numeric user ID is valid. Once a full list of user names is obtained, it can serve as a foundation for subsequent phishing or credential‑reuse attacks. Therefore, the risk is considered moderate, mainly due to the lack of direct code execution or privilege escalation, but the sensitivity of known user data demands timely remediation.