CVE-2026-23721
- Source
- https://cve.org/CVERecord?id=CVE-2026-23721
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23721.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-23721
- Aliases
-
- GHSA-vj77-wrc2-5h5h
- Published
- 2026-01-19T17:52:35.307Z
- Modified
- 2026-02-04T07:15:56.457814Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- OpenProject users with "View Members" permission in any project can view all Group memberships
- Details
-
OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of. Prior to versions 17.0.1 and 16.6.5, due to a failed permission check, if a user had the View Members permission in any project, they could enumerate all Groups and view which other users are part of the group. The issue has been fixed in OpenProject 17.0.1 and 16.6.5. No known workarounds are available.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23721.json", "cwe_ids": [ "CWE-862" ], "cna_assigner": "GitHub_M" }- References
Affected packages
Git / github.com/opf/openproject
Affected ranges
- Type
- GIT
- Repo
- https://github.com/opf/openproject
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
11.*
11.2.1
2.*
2.4.0
release/3.*
release/3.0.0
Other
sprint/2014_08
sprint/2014_09
sprint/2014_10
sprint/2014_11
sprint/2014_12
sprint/2014_13
sprint/2014_16
sprint/2014_18
sprint/2015_01
sprint/2015_02
sprint/2015_03
sprint/2015_04
v10.*
v10.5
v11.*
v11.0.0
v11.0.1
v11.0.2
v11.0.3
v11.0.4
v11.1.0
v11.1.1
v11.1.2
v11.1.3
v11.1.4
v11.2.0
v11.2.1
v11.2.2
v11.2.3
v11.2.4
v16.*
v16.0.0
v16.0.1
v16.1.0
v16.1.1
v16.2.0
v16.2.1
v16.2.2
v16.3.0
v16.3.1
v16.3.2
v16.4.0
v16.4.1
v16.5.0
v16.5.1
v16.6.0
v16.6.1
v16.6.2
v16.6.3
v16.6.4
v3.*
v3.0.0
v3.0.1
v3.0.11
v3.0.12
v3.0.13
v3.0.8
v4.*
v4.0.0
v4.0.1
v4.0.10
v4.0.11
v4.0.12
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.1.0
v4.1.0-beta
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v4.2.7
v4.2.8
v4.2.9
v5.*
v5.0.0
v5.0.1
v5.0.10
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.0.8
v5.0.9
v9.*
v9.0.0-pre
v9.0.2-pre