CVE-2026-44735 - Vulnerability Details

Description

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the GET /api/v3/shares endpoint returns share details for ALL work packages in a project to any user with the view_shared_work_packages permission. The authorization check operates at the project level only — it does not verify the requesting user can actually view each individual shared work package. This allows a regular project member to discover work package IDs and subjects (including confidential titles), which users have been granted shared access, what role level was assigned (Editor, Commenter, Viewer). This vulnerability is fixed in 17.3.2 and 17.4.0.

Published: 2026-06-26

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the GET /api/v3/shares endpoint of OpenProject, which returns share details for all work packages within a project to any user with the view_shared_work_packages permission. The authorization check only verifies project-level access and does not confirm whether the user can view each individual shared work package. This denial‑of‑authorization flaw corresponds to CWE‑863. Consequently, a regular project member can discover work package identifiers, confidential subject titles, and the roles (Editor, Commenter, Viewer) assigned to each share, exposing sensitive project information. The flaw was addressed in OpenProject 17.3.2 and 17.4.0.

Affected Systems

All instances of OpenProject older than version 17.3.2 or 17.4.0, which were affected by this issue. The affected product is the web‑based project management tool OpenProject provided by opf:openproject.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity data disclosure risk. EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalogue. The likely attack vector is a legitimate user with view_shared_work_packages permission accessing the unfiltered API endpoint; no special conditions or elevated privileges are required beyond normal project membership.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

opf

openproject

affected

Version	Status	Constraints
`< 17.3.2`	affected	—

No data.

Vendor Product Confidence Versions

Opf

Openproject

100%

Version	Status	Scheme	Platform
`[0,17.3.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade OpenProject to version 17.3.2 or later (17.4.0 and newer) to apply the vendor‑provided fix.
If an upgrade is not immediately possible, restrict the view_shared_work_packages permission to only trusted users or remove it from users who do not need it.
After applying the fix or adjusting permissions, audit projects for sensitive titles and sources of confidential information and adjust naming or access controls as necessary.

Generated by OpenCVE AI on June 26, 2026 at 22:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/opf/openproject/security/advisories/GHSA-cfg3-f34w-9xx5

History

Sat, 27 Jun 2026 01:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Opf Opf openproject
Vendors & Products		Opf Opf openproject

Fri, 26 Jun 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the GET /api/v3/shares endpoint returns share details for ALL work packages in a project to any user with the view_shared_work_packages permission. The authorization check operates at the project level only — it does not verify the requesting user can actually view each individual shared work package. This allows a regular project member to discover work package IDs and subjects (including confidential titles), which users have been granted shared access, what role level was assigned (Editor, Commenter, Viewer). This vulnerability is fixed in 17.3.2 and 17.4.0.
Title		OpenProject: Shares API Information Disclosure
Weaknesses		CWE-863
References		https://github.com/opf/openproject/security/advisories/GHSA-cfg3-f34w-9xx5
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Opf Openproject

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-26T19:32:21.174Z

Updated: 2026-06-26T19:32:21.174Z

Reserved: 2026-05-07T18:04:17.309Z

Link: CVE-2026-44735

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-27T01:15:08Z

Weaknesses

CWE-863
Incorrect Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object