CVE-2026-44731 | OpenProject is open-source, web-based project management sof… | CVSS 4.3 MEDIUM

Description

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the web application's meetings filter feature leaks whether a given user ID corresponds to a valid account and discloses the user's full name, allowing an attacker to enumerate all existing user accounts by probing user IDs and observing differences in the server response. This vulnerability is fixed in 17.3.2 and 17.4.0.

Metadata

CVE ID: CVE-2026-44731
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-07 18:04 UTC
Published: 2026-06-26 19:41 UTC
Last updated: 2026-06-26 19:41 UTC
Primary CWE: CWE-639
CWE-639: Authorization Bypass Through User-Controlled Key
Vendor / Product: opf / openproject
Sources: cve.org · NVD

Severity & Metrics

4.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Affected products (1)

Vendor	Product	Platform	Versions
opf	openproject	—	< 17.3.2

Weakness (CWE)

CWE	Source	Description
CWE-639	cna	CWE-639: Authorization Bypass Through User-Controlled Key

CVSS scores (1)

Score	Severity	Version	Source	Vector
4.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (1)

https://github.com/opf/openproject/security/advisories/GHSA-x7j3-cfgf-7mc4 https://github.com/opf/openproject/security/advisories/GHSA-x7j3-cfgf-7mc4