CVE-2026-47193

Source
https://cve.org/CVERecord?id=CVE-2026-47193
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47193.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-47193
Aliases
  • GHSA-f2rx-x2qj-2hgj
Published
2026-06-26T19:01:09.927Z
Modified
2026-07-08T08:05:18.104274335Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
OpenProject: Journal diff endpoint bypasses object, journal, and field visibility checks
Details

OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the journal diff endpoint discloses hidden historical field values without enforcing object and field visibility. This vulnerability is fixed in 17.3.3 and 17.4.1.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47193.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-200",
        "CWE-862"
    ]
}
References

Affected packages

Git / github.com/opf/openproject

Affected ranges

Type
GIT
Repo
https://github.com/opf/openproject
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "17.3.3"
        },
        {
            "introduced": "17.4.0"
        },
        {
            "fixed": "17.4.1"
        }
    ]
}

Affected versions

11.*
11.2.1
2.*
2.4.0
Other
sprint/2014_08
sprint/2014_09
sprint/2014_10
sprint/2014_11
sprint/2014_12
sprint/2014_13
sprint/2014_16
sprint/2014_18
sprint/2015_01
sprint/2015_02
sprint/2015_03
sprint/2015_04
v10.*
v10.5
v17.*
v17.3.1
v17.3.2
v17.4.0
v5.*
v5.0.4
v9.*
v9.0.0-pre

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47193.json"