CVE-2026-23721

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.0.1 OpenProject versions prior to 16.6.5

Description OpenProject is a web-based project management software. A permission check failure in earlier versions allowed users with the 'View Members' permission in any project to list all groups and identify all members within those groups, bypassing intended access restrictions. The issue affects group member visibility within the application.

Recommendations Update to OpenProject version 17.0.1 or later. Update to OpenProject version 16.6.5 or later.