CVE-2026-22602
Last modified
CVE-2026-22602 is a low-severity vulnerability rated 3.5/10 on the CVSS scale. OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. EPSS estimates a 0.26% chance of exploitation in the next 30 days.
Description
OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably (e.g., 1 to 1000), an attacker can extract a complete list of all users’ full names by iterating through these URLs. The same behavior can also be reproduced via the OpenProject API, allowing automated retrieval of full names through the API as well. This issue has been patched in version 16.6.2. Those who are unable to upgrade may apply the patch manually.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Openproject | Openproject | < 16.6.2 |
References
- https://github.com/opf/openproject/pull/21281Issue Tracking
- https://github.com/opf/openproject/security/advisories/GHSA-7fvx-9h6h-g82jPatch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-22602?
How severe is CVE-2026-22602?
How do I fix CVE-2026-22602?
Are you affected by CVE-2026-22602?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST