CVE-2026-23721

Source
https://cve.org/CVERecord?id=CVE-2026-23721
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23721.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-23721
Aliases
  • GHSA-vj77-wrc2-5h5h
Published
2026-01-19T17:52:35.307Z
Modified
2026-07-08T07:43:48.054374596Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
OpenProject users with "View Members" permission in any project can view all Group memberships
Details

OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of. Prior to versions 17.0.1 and 16.6.5, due to a failed permission check, if a user had the View Members permission in any project, they could enumerate all Groups and view which other users are part of the group. The issue has been fixed in OpenProject 17.0.1 and 16.6.5. No known workarounds are available.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23721.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-862"
    ]
}
References

Affected packages

Git / github.com/opf/openproject

Affected ranges

Type
GIT
Repo
https://github.com/opf/openproject
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Database specific
{
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ],
    "cpe": [
        "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:openproject:openproject:17.0.0:*:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "16.6.5"
        },
        {
            "introduced": "17.0.0"
        },
        {
            "last_affected": "17.0.0"
        }
    ]
}

Affected versions

17.*
17.0.0
= 17.*
= 17.0.0
v16.*
v16.0.0
v16.0.1
v16.1.0
v16.1.1
v16.2.0
v16.2.1
v16.2.2
v16.3.0
v16.3.1
v16.3.2
v16.4.0
v16.4.1
v16.5.0
v16.5.1
v16.6.0
v16.6.1
v16.6.2
v16.6.3
v16.6.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23721.json"