CVE-2026-22602
- Source
- https://cve.org/CVERecord?id=CVE-2026-22602
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22602.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-22602
- Aliases
-
- GHSA-7fvx-9h6h-g82j
- Published
- 2026-01-10T01:06:12.921Z
- Modified
- 2026-03-01T02:56:40.171918Z
- Severity
-
- 3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- OpenProject is Vulnerable to User Enumeration via User ID
- Details
-
OpenProject is an open-source, web-based project management software. Prior to version 16.6.2, a low‑privileged logged-in user can view the full names of other users. Since user IDs are assigned sequentially and predictably (e.g., 1 to 1000), an attacker can extract a complete list of all users’ full names by iterating through these URLs. The same behavior can also be reproduced via the OpenProject API, allowing automated retrieval of full names through the API as well. This issue has been patched in version 16.6.2. Those who are unable to upgrade may apply the patch manually.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22602.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-200" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22602.json
- https://github.com/opf/openproject/commit/fb39a779f521d9b08f1e0c9e8aff2b6d4643ea37
- https://github.com/opf/openproject/pull/21281
- https://github.com/opf/openproject/releases/tag/v16.6.2
- https://github.com/opf/openproject/security/advisories/GHSA-7fvx-9h6h-g82j
- https://nvd.nist.gov/vuln/detail/CVE-2026-22602
Affected packages
Git / github.com/opf/openproject
Affected ranges
- Type
- GIT
- Repo
- https://github.com/opf/openproject
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
11.*
11.2.1
2.*
2.4.0
release/3.*
release/3.0.0
Other
sprint/2014_08
sprint/2014_09
sprint/2014_10
sprint/2014_11
sprint/2014_12
sprint/2014_13
sprint/2014_16
sprint/2014_18
sprint/2015_01
sprint/2015_02
sprint/2015_03
sprint/2015_04
v10.*
v10.5
v11.*
v11.0.0
v11.0.1
v11.0.2
v11.0.3
v11.0.4
v11.1.0
v11.1.1
v11.1.2
v11.1.3
v11.1.4
v11.2.0
v11.2.1
v11.2.2
v11.2.3
v11.2.4
v16.*
v16.0.0
v16.0.1
v16.1.0
v16.1.1
v16.2.0
v16.2.1
v16.2.2
v16.3.0
v16.3.1
v16.3.2
v16.4.0
v16.4.1
v16.5.0
v16.5.1
v16.6.0
v16.6.1
v3.*
v3.0.0
v3.0.1
v3.0.11
v3.0.12
v3.0.13
v3.0.8
v4.*
v4.0.0
v4.0.1
v4.0.10
v4.0.11
v4.0.12
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.1.0
v4.1.0-beta
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v4.2.7
v4.2.8
v4.2.9
v5.*
v5.0.0
v5.0.1
v5.0.10
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.0.8
v5.0.9
v9.*
v9.0.0-pre
v9.0.2-pre