CVE-2026-23721 MEDIUM

CVE-2026-23721: OpenProject users with "View Members" permission in any project can view all Group memberships

Vendor Opf
Product openproject
Weakness CWE-862 · Missing authorization
Published January 19, 2026
Last update January 20, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of. Prior to versions 17.0.1 and 16.6.5, due to a failed permission check, if a user had the View Members permission in any project, they could enumerate all Groups and view which other users are part of the group. The issue has been fixed in OpenProject 17.0.1 and 16.6.5. No known workarounds are available.

Key dates

02Disclosure timeline

January 19, 2026 CVE published
January 20, 2026 Record updated

Related vulnerabilities

04Related CVE