Description
OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the web application's meetings filter feature leaks whether a given user ID corresponds to a valid account and discloses the user's full name, allowing an attacker to enumerate all existing user accounts by probing user IDs and observing differences in the server response. This vulnerability is fixed in 17.3.2 and 17.4.0.
Published: 2026-06-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenProject, an open‑source web‑based project‑management application, has a flaw in its meetings filter. Prior to version 17.3.2 and 17.4.0, the endpoint /projects/[projectName]/meetings accepts a GET request with a filters parameter that includes invited_user_id. The response differs depending on whether the supplied user ID corresponds to a valid account, thereby leaking the user’s full name. By iterating numeric user IDs and observing response differences, an attacker can enumerate all existing user accounts. The flaw is an instance of CWE‑639 and permits information disclosure but not code execution. It has been fixed in the 17.3.2 and 17.4.0 releases.

Affected Systems

Vulnerable software is the OpenProject project‑management application before version 17.3.2 and before version 17.4.0. Users of the open‑source OpenProject platform who have not applied the 17.3.2 or 17.4.0 updates are affected. The known CNA vendor is OpenProject Foundation (opf:openproject).

Risk and Exploitability

The CVSS score of 4.3 indicates a medium impact, while a lack of EPSS data means the The vulnerability is not listed in the CISA KEV catalog. An attacker can construct HTTP GET requests against the exposed endpoint without needing credentials or special privileges, to determine whether a numeric user ID is valid. Once a complete list of user names is obtained, it can be used as a foundation for phishing or credential‑reuse attacks. Therefore, the risk is considered moderate, primarily due to the absence of direct code execution or privilege escalation, but the sensitivity of known user data demands timely remediation.

Generated by OpenCVE AI on June 26, 2026 at 21:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenProject to 17.3.2 or 17.4.0 to apply the patch that removes the enumeration flaw.
  • If an upgrade cannot be performed immediately, restrict or disable the meetings endpoint for unauthenticated users or tighten role‑based permissions so that only authorized personnel can query the meetings filter.
  • Enable logging and monitoring for repeated GET requests containing the "filters" parameter with different invited_user_id values to detect potential enumeration attempts.

Generated by OpenCVE AI on June 26, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 27 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Opf
Opf openproject
Vendors & Products Opf
Opf openproject

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the web application's meetings filter feature leaks whether a given user ID corresponds to a valid account and discloses the user's full name, allowing an attacker to enumerate all existing user accounts by probing user IDs and observing differences in the server response. This vulnerability is fixed in 17.3.2 and 17.4.0.
Title OpenProject: Improper Access Control on OpenProject through /projects/[projectName]/meetings via "invited_user_id" in GET parameter "filters" leads to user names disclosure
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-29T13:22:28.150Z

Reserved: 2026-05-07T18:04:17.309Z

Link: CVE-2026-44731

cve-icon Vulnrichment

Updated: 2026-06-29T13:22:25.289Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T01:15:08Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key