The GET /api/v3/relations endpoint in OpenProject versions before 17.4.0 allows any authenticated user to retrieve relation data and the subject (title) of work packages that the user does not have permission to view by supplying an arbitrary work package ID in the involved, fromId, or toId filter. This bypasses the Relation.visible scope due to a flawed performance optimization in RelationQuery, resulting in the disclosure of sensitive work package subjects across projects and potentially confidential information. The vulnerability is fixed in version 17.4.0 and matches CWE‑200 (Information Exposure), CWE‑639 (Authorization Bypass via Privilege Escalation), and CWE‑836 (Misuse of Discernible Information).

All installations of the OpenProject web‑based project management platform running a version earlier than 17.4.0 are affected. The vulnerability is present in the OpenProject product under the vendor name opf:openproject as listed by the CNA.

The vulnerability carries a CVSS score of 6.5, indicating moderate severity. Although EPSS data is not available, the requirement for only authenticated access and the lack of a public exploit suggest that exploitation is feasible under normal conditions but not guaranteed to be widespread. The vulnerability is not listed in the CISA KEV catalog. An attacker with valid user credentials can construct a request to the relations API, inject arbitrary work package identifiers, and read subjects that should be hidden, thereby compromising confidentiality across projects. The attack vector is authenticated network access to the API.