Impact
OpenProject, an open‑source web‑based project‑management application, has a flaw in its meetings filter. Prior to version 17.3.2 and 17.4.0, the endpoint /projects/[projectName]/meetings accepts a GET request with a filters parameter that includes invited_user_id. The response differs depending on whether the supplied user ID corresponds to a valid account, thereby leaking the user’s full name. By iterating numeric user IDs and observing response differences, an attacker can enumerate all existing user accounts. The flaw is an instance of CWE‑639 and permits information disclosure but not code execution. It has been fixed in the 17.3.2 and 17.4.0 releases.
Affected Systems
Vulnerable software is the OpenProject project‑management application before version 17.3.2 and before version 17.4.0. Users of the open‑source OpenProject platform who have not applied the 17.3.2 or 17.4.0 updates are affected. The known CNA vendor is OpenProject Foundation (opf:openproject).
Risk and Exploitability
The CVSS score of 4.3 indicates a medium impact, while a lack of EPSS data means the The vulnerability is not listed in the CISA KEV catalog. An attacker can construct HTTP GET requests against the exposed endpoint without needing credentials or special privileges, to determine whether a numeric user ID is valid. Once a complete list of user names is obtained, it can be used as a foundation for phishing or credential‑reuse attacks. Therefore, the risk is considered moderate, primarily due to the absence of direct code execution or privilege escalation, but the sensitivity of known user data demands timely remediation.
OpenCVE Enrichment