CVE-2026-44735 | OpenProject is open-source, web-based project management sof… | CVSS 6.5 MEDIUM

Description

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the GET /api/v3/shares endpoint returns share details for ALL work packages in a project to any user with the view_shared_work_packages permission. The authorization check operates at the project level only — it does not verify the requesting user can actually view each individual shared work package. This allows a regular project member to discover work package IDs and subjects (including confidential titles), which users have been granted shared access, what role level was assigned (Editor, Commenter, Viewer). This vulnerability is fixed in 17.3.2 and 17.4.0.

Metadata

CVE ID: CVE-2026-44735
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-07 18:04 UTC
Published: 2026-06-26 19:32 UTC
Last updated: 2026-06-26 19:32 UTC
Primary CWE: CWE-863
CWE-863: Incorrect Authorization
Vendor / Product: opf / openproject
Sources: cve.org · NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected products (1)

Vendor	Product	Platform	Versions
opf	openproject	—	< 17.3.2

Weakness (CWE)

CWE	Source	Description
CWE-863	cna	CWE-863: Incorrect Authorization

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.5	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (1)

https://github.com/opf/openproject/security/advisories/GHSA-cfg3-f34w-9xx5 https://github.com/opf/openproject/security/advisories/GHSA-cfg3-f34w-9xx5