CVE-2026-49355
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk12th percentile — higher than 12% of all known CVEs
Summary
A vulnerability in OpenProject prior to version 17.4.0 allows disclosure of private work package data from a linked work package belonging to an inaccessible project via a GET request to the API endpoint.
Risk Assessment
The organization is at risk of leaking confidential work package information from projects the user should not have access to, potentially leading to data confidentiality breaches.
Recommendation
Immediately update OpenProject to version 17.4.0 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
OpenProject is open-source, web-based project management software. Prior to 17.4.0, `GET /api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id` discloses private work package data from a linked work package that belongs to a private/inaccessible project. This vulnerability is fixed in 17.4.0.

