CVE-2026-44735

Source
https://cve.org/CVERecord?id=CVE-2026-44735
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44735.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44735
Aliases
  • GHSA-cfg3-f34w-9xx5
Published
2026-06-26T19:32:21.174Z
Modified
2026-07-15T01:49:04.244034926Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
OpenProject: Shares API Information Disclosure
Details

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the GET /api/v3/shares endpoint returns share details for ALL work packages in a project to any user with the viewsharedwork_packages permission. The authorization check operates at the project level only — it does not verify the requesting user can actually view each individual shared work package. This allows a regular project member to discover work package IDs and subjects (including confidential titles), which users have been granted shared access, what role level was assigned (Editor, Commenter, Viewer). This vulnerability is fixed in 17.3.2 and 17.4.0.

Database specific
{
    "cwe_ids": [
        "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44735.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/opf/openproject

Affected ranges

Type
GIT
Repo
https://github.com/opf/openproject
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "17.3.2"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

11.*
11.2.1
2.*
2.4.0
Other
sprint/2014_08
sprint/2014_09
sprint/2014_10
sprint/2014_11
sprint/2014_12
sprint/2014_13
sprint/2014_16
sprint/2014_18
sprint/2015_01
sprint/2015_02
sprint/2015_03
sprint/2015_04
v10.*
v10.5
v17.*
v17.3.1
v5.*
v5.0.4
v9.*
v9.0.0-pre

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44735.json"