Description

OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably (e.g., 1 to 1000), an attacker can extract a complete list of all users’ full names by iterating through these URLs. The same behavior can also be reproduced via the OpenProject API, allowing automated retrieval of full names through the API as well. This issue has been patched in version 16.6.2. Those who are unable to upgrade may apply the patch manually.

INFO

Published Date :

2026-01-10T01:06:12.921Z

Last Modified :

2026-01-10T01:06:12.921Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-22602 vulnerability.

Vendors Products
Openproject
  • Openproject
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-22602.

URL Resource
https://github.com/opf/openproject/commit/fb39a779f521d9b08f1e0c9e8aff2b6d4643ea37 cve-icon cve-icon
https://github.com/opf/openproject/pull/21281 cve-icon cve-icon
https://github.com/opf/openproject/releases/tag/v16.6.2 cve-icon cve-icon
https://github.com/opf/openproject/security/advisories/GHSA-7fvx-9h6h-g82j cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact