3.5
CVE-2026-22602
- EPSS 0.26%
- Veröffentlicht 10.01.2026 01:06:12
- Zuletzt bearbeitet 14.01.2026 22:26:18
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginOpenProject is Vulnerable to User Enumeration via User ID
OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably (e.g., 1 to 1000), an attacker can extract a complete list of all users’ full names by iterating through these URLs. The same behavior can also be reproduced via the OpenProject API, allowing automated retrieval of full names through the API as well. This issue has been patched in version 16.6.2. Those who are unable to upgrade may apply the patch manually.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Openproject ≫ Openproject Version < 16.6.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.26% | 0.166 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 3.5 | 2.1 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
|
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
https://github.com/opf/openproject/releases/tag/v16.6.2
https://github.com/opf/openproject/security/advisories/GHSA-7fvx-9h6h-g82j
https://github.com/opf/openproject/pull/21281
https://github.com/opf/openproject/commit/fb39a779f521d9b08f1e0c9e8aff2b6d4643ea37