Description
OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the journal diff endpoint discloses hidden historical field values without enforcing object and field visibility. This vulnerability is fixed in 17.3.3 and 17.4.1.
Published: 2026-06-26
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The journal diff endpoint in OpenProject, when accessed, does not honor object, journal, or field visibility checks, allowing an attacker to read hidden historical field values. This results in inadvertent disclosure of confidential or sensitive information that the application intended to protect, representing an information‑exposure vulnerability. The weakness is confirmed by CWE‑200 (Information Exposure) and CWE‑862 (Missing Authorization).

Affected Systems

OpenProject versions prior to 17.3.3 and 17.4.1 are affected. The vulnerability exists in the open-source, web‑based project management product maintained by OpenProject. Users running those unpatched releases are at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. EPSS data is not available, so the current probability of exploitation is unknown, but the issue is not listed in the CISA KEV catalog. The likely attack vector is a remote web request to the journal diff endpoint, which an attacker can craft with appropriate authentication or, if authentication is bypassed, potentially any logged‑in user. Because the exposure is not mitigated by visibility rules, the breach can affect all users with access to the endpoint and reveal sensitive historical data.

Generated by OpenCVE AI on June 26, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenProject 17.3.3 or 17.4.1, where the journal diff endpoint now enforces visibility checks.
  • If an upgrade is unavailable, restrict or disable the journal diff endpoint via web‑application firewall rules or by removing the related URL routing from the production environment.
  • Verify that user permissions and field visibility settings are correctly configured so that hidden fields remain protected in all views and API calls.

Generated by OpenCVE AI on June 26, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the journal diff endpoint discloses hidden historical field values without enforcing object and field visibility. This vulnerability is fixed in 17.3.3 and 17.4.1.
Title OpenProject: Journal diff endpoint bypasses object, journal, and field visibility checks
Weaknesses CWE-200
CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T19:42:38.388Z

Reserved: 2026-05-18T22:07:37.435Z

Link: CVE-2026-47193

cve-icon Vulnrichment

Updated: 2026-06-26T19:41:59.499Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T20:30:06Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-862

    Missing Authorization