CVE-2026-22602

CVE Database · CVE-2026-22602

CVE-2026-22602

· LOWAnalyzed

CVSS v3.1

3.5

EPSS

0.26%

Published

Jan 9, 2026

Modified

Jan 14, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably (e.g., 1 to 1000), an attacker can extract a complete list of all users’ full names by iterating through these URLs. The same behavior can also be reproduced via the OpenProject API, allowing automated retrieval of full names through the API as well. This issue has been patched in version 16.6.2. Those who are unable to upgrade may apply the patch manually.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Weaknesses (CWE)

CWE-200

Affected Products (1)

openproject · openproject (up to 16.6.2)vulnerable

References (4)

https://github.com/opf/openproject/commit/fb39a779f521d9b08f1e0c9e8aff2b6d4643ea37

Patch

https://github.com/opf/openproject/pull/21281

Issue Tracking

https://github.com/opf/openproject/releases/tag/v16.6.2

Release Notes

https://github.com/opf/openproject/security/advisories/GHSA-7fvx-9h6h-g82j

Vendor AdvisoryPatch

KEV Catalog EPSS Scores Vendors All CVEs