Description
OpenProject is open-source, web-based project management software. Prior to 17.4.0, `GET /api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id` discloses private work package data from a linked work package that belongs to a private/inaccessible project. This vulnerability is fixed in 17.4.0.
Published: 2026-06-26
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenProject is an open‑source, web‑based project management platform. Prior to version 17.4.0 the API endpoint GET /api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id retrieves data that belongs to a linked work package. When that work package is part of a private or otherwise inaccessible project, the endpoint discloses private work package details that should not be visible to the requester. The flaw manifests as a data exposure weakness (CWE‑200) and improper authorization (CWE‑639), allowing an attacker who can invoke the API to view confidential project information.

Affected Systems

The affected product is OpenProject, released by opf. All versions older than 17.4.0 are vulnerable; version 17.4.0 and later contain the fix. The issue arises when a user accesses data from a private project that should be beyond their access scope.

Risk and Exploitability

The CVSS base score is 4.3, indicating a moderate level of risk. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via the web API; an unauthenticated or minimally privileged user can exploit the endpoint to extract private work package data if they know or can guess a meeting and agenda item ID and have API access.

Generated by OpenCVE AI on June 26, 2026 at 22:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenProject to version 17.4.0 or later
  • If an upgrade is not immediately possible, restrict access to the GET /api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id endpoint to users who are members of the associated project and have the appropriate permissions
  • Review and tighten authorization logic to ensure that private work package data cannot be returned by the API for projects the user should not see

Generated by OpenCVE AI on June 26, 2026 at 22:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Opf
Opf openproject
Vendors & Products Opf
Opf openproject

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description OpenProject is open-source, web-based project management software. Prior to 17.4.0, `GET /api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id` discloses private work package data from a linked work package that belongs to a private/inaccessible project. This vulnerability is fixed in 17.4.0.
Title OpenProject: Private work package data disclosure through single meeting agenda item API
Weaknesses CWE-200
CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Opf Openproject
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T19:29:15.995Z

Reserved: 2026-05-29T14:35:45.904Z

Link: CVE-2026-49355

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T01:45:09Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-639

    Authorization Bypass Through User-Controlled Key