3.5

CVE-2026-22602

EPSS 0.01%
Veröffentlicht 10.01.2026 01:06:12
Zuletzt bearbeitet 14.01.2026 22:26:18
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably (e.g., 1 to 1000), an attacker can extract a complete list of all users’ full names by iterating through these URLs. The same behavior can also be reproduced via the OpenProject API, allowing automated retrieval of full names through the API as well. This issue has been patched in version 16.6.2. Those who are unable to upgrade may apply the patch manually.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Openproject ≫ Openproject Version < 16.6.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.013

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	3.5	2.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/opf/openproject/releases/tag/v16.6.2

Release Notes

https://github.com/opf/openproject/security/advisories/GHSA-7fvx-9h6h-g82j

Patch

Vendor Advisory

https://github.com/opf/openproject/pull/21281

Issue Tracking

https://github.com/opf/openproject/commit/fb39a779f521d9b08f1e0c9e8aff2b6d4643ea37

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-22602

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-22602

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-22602

EUVD