CVE Catalog

CVE-2026-49355

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

12th percentile — higher than 12% of all known CVEs

Summary

A vulnerability in OpenProject prior to version 17.4.0 allows disclosure of private work package data from a linked work package belonging to an inaccessible project via a GET request to the API endpoint.

Risk Assessment

The organization is at risk of leaking confidential work package information from projects the user should not have access to, potentially leading to data confidentiality breaches.

Recommendation

Immediately update OpenProject to version 17.4.0 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

OpenProject is open-source, web-based project management software. Prior to 17.4.0, `GET /api/v3/meetings/:meeting_id/agenda_items/:agenda_item_id` discloses private work package data from a linked work package that belongs to a private/inaccessible project. This vulnerability is fixed in 17.4.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS