CVE Catalog

CVE-2026-44731

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

8th percentile — higher than 8% of all known CVEs

Summary

In OpenProject prior to versions 17.3.2 and 17.4.0, the meetings filter feature leaks whether a given user ID corresponds to a valid account and discloses the user's full name. This allows an attacker to enumerate all existing user accounts by probing user IDs and observing differences in server responses.

Risk Assessment

The risk involves the ability to perform user enumeration attacks, which can lead to information disclosure about the organization's structure and facilitate further social engineering or brute-force attacks on accounts.

Recommendation

Immediately update OpenProject to version 17.3.2 or 17.4.0, which includes a fix that prevents the leakage of user information.

Original NVD description (English source)

OpenProject is open-source, web-based project management software. Prior to 17.3.2 and 17.4.0, the web application's meetings filter feature leaks whether a given user ID corresponds to a valid account and discloses the user's full name, allowing an attacker to enumerate all existing user accounts by probing user IDs and observing differences in the server response. This vulnerability is fixed in 17.3.2 and 17.4.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS