PT-2026-2222 · Openproject · Openproject
Lowoliverguenther
·
Published
2026-01-10
·
Updated
2026-01-12
·
CVE-2026-22602
CVSS v3.1
3.5
Low
| Vector | AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
OpenProject versions prior to 16.6.2
Description
OpenProject is a web-based project management software. A user with low privileges can view the full names of other users. User IDs are assigned sequentially, allowing an attacker to extract a complete list of all users’ full names by iterating through URLs. This behavior can also be reproduced via the OpenProject API, enabling automated retrieval of full names through the API. The API endpoint allows for automated retrieval of full names. The vulnerable parameter is
user id.Recommendations
Upgrade to OpenProject version 16.6.2 or later.
If upgrading is not possible, apply the patch manually.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openproject