OpenProject is open-source, web-based project management software. Prior to 17.4.0, GET /api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id discloses private work package data from a linked work package that belongs to a private/inaccessible project. This vulnerability is fixed in 17.4.0.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-200",
"CWE-639"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49355.json"
}