Analysis
Analysis and contextual insights are available on OpenCVE Cloud.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| opf | openproject | affected |
|
No data.
No data.
| Vendor | Product | Confidence | Versions | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Opf | Openproject | 100% |
|
Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Sat, 27 Jun 2026 01:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Opf
Opf openproject |
|
| Vendors & Products |
Opf
Opf openproject |
Fri, 26 Jun 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the web application's meetings filter feature leaks whether a given user ID corresponds to a valid account and discloses the user's full name, allowing an attacker to enumerate all existing user accounts by probing user IDs and observing differences in the server response. This vulnerability is fixed in 17.3.2 and 17.4.0. | |
| Title | OpenProject: Improper Access Control on OpenProject through /projects/[projectName]/meetings via "invited_user_id" in GET parameter "filters" leads to user names disclosure | |
| Weaknesses | CWE-639 | |
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-06-26T19:41:53.550Z
Reserved: 2026-05-07T18:04:17.309Z
Link: CVE-2026-44731
Vulnrichment
No data.
NVD
No data.
Redhat
No data.
OpenCVE Enrichment
Updated: 2026-06-27T01:15:08Z