OpenProject: Improper Access Control on OpenProject through /projects/[projectName]/meetings via “invited_user

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the web application's meetings filter feature leaks whether a given user ID corresponds to a valid account and discloses the user's full name, allowing an attacker to enumerate all existing user accounts by probing user IDs and observing differences in the server response. This vulnerability is fixed in 17.3.2 and 17.4.0.

Basic Information

ID CVE-2026-44731

Source GitHub_M

Published Jun 26, 2026 at 19:41

Affected Product

Vendor opf

Product openproject

Version < 17.3.2

Affected Versions opf openproject < 17.3.2

CWE Classification

CWE-639

References

github.com /opf/openproject/security/advisories/GHSA-x7j3-cfgf-7mc4

{
    "lastseen": "",
    "description": "OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the web application's meetings filter feature leaks whether a given user ID corresponds to a valid account and discloses the user's full name, allowing an attacker to enumerate all existing user accounts by probing user IDs and observing differences in the server response. This vulnerability is fixed in 17.3.2 and 17.4.0.",
    "published": "2026-06-26T19:41:53.550Z",
    "modified": "2026-06-26T19:41:53.550Z",
    "type": "cve",
    "title": "OpenProject: Improper Access Control on OpenProject through /projects/[projectName]/meetings via \"invited_user_id\" in GET parameter \"filters\" leads to user names disclosure",
    "source": "GitHub_M",
    "references": "https://github.com/opf/openproject/security/advisories/GHSA-x7j3-cfgf-7mc4",
    "id": "CVE-2026-44731",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "opf openproject < 17.3.2",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "openproject",
    "version": "< 17.3.2",
    "vendor": "opf",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

OpenProject: Improper Access Control on OpenProject through /projects/[projectName]/meetings via “invited_user_id” in GET parameter “filters” leads to user names disclosure_CVE-2026-44731