CVE-2026-23721 (GCVE-0-2026-23721)

Vulnerability from cvelistv5 – Published: 2026-01-19 17:52 – Updated: 2026-01-20 14:51
VLAI
Title
OpenProject users with "View Members" permission in any project can view all Group memberships
Summary
OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of. Prior to versions 17.0.1 and 16.6.5, due to a failed permission check, if a user had the View Members permission in any project, they could enumerate all Groups and view which other users are part of the group. The issue has been fixed in OpenProject 17.0.1 and 16.6.5. No known workarounds are available.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
opf openproject Affected: < 16.6.5
Affected: = 17.0.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-23721",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-20T14:51:12.955677Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-20T14:51:21.936Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openproject",
          "vendor": "opf",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 16.6.5"
            },
            {
              "status": "affected",
              "version": "= 17.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of. Prior to versions 17.0.1 and 16.6.5, due to a failed permission check, if a user had the View Members permission in any project, they could enumerate all Groups and view which other users are part of the group. The issue has been fixed in OpenProject 17.0.1 and 16.6.5. No known workarounds are available."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T17:52:35.307Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/opf/openproject/security/advisories/GHSA-vj77-wrc2-5h5h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/opf/openproject/security/advisories/GHSA-vj77-wrc2-5h5h"
        }
      ],
      "source": {
        "advisory": "GHSA-vj77-wrc2-5h5h",
        "discovery": "UNKNOWN"
      },
      "title": "OpenProject users with \"View Members\" permission in any project can view all Group memberships"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-23721",
    "datePublished": "2026-01-19T17:52:35.307Z",
    "dateReserved": "2026-01-15T15:45:01.955Z",
    "dateUpdated": "2026-01-20T14:51:21.936Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-23721",
      "date": "2026-07-12",
      "epss": "0.00176",
      "percentile": "0.07265"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23721\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-19T18:16:05.730\",\"lastModified\":\"2026-06-17T10:21:59.597\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of. Prior to versions 17.0.1 and 16.6.5, due to a failed permission check, if a user had the View Members permission in any project, they could enumerate all Groups and view which other users are part of the group. The issue has been fixed in OpenProject 17.0.1 and 16.6.5. No known workarounds are available.\"},{\"lang\":\"es\",\"value\":\"OpenProject es un software de gesti\u00f3n de proyectos de c\u00f3digo abierto y basado en la web. Cuando se utilizan grupos en OpenProject para gestionar usuarios, los miembros del grupo solo deber\u00edan ser visibles para los usuarios que tienen el permiso \u0027Ver miembros\u0027 en cualquier proyecto del que el grupo tambi\u00e9n sea miembro. Antes de las versiones 17.0.1 y 16.6.5, debido a una comprobaci\u00f3n de permisos fallida, si un usuario ten\u00eda el permiso \u0027Ver miembros\u0027 en cualquier proyecto, pod\u00eda enumerar todos los Grupos y ver qu\u00e9 otros usuarios formaban parte del grupo. El problema ha sido solucionado en OpenProject 17.0.1 y 16.6.5. No se conocen soluciones alternativas disponibles.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"opf\",\"product\":\"openproject\",\"versions\":[{\"version\":\"\u003c 16.6.5\",\"status\":\"affected\"},{\"version\":\"= 17.0.0\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-01-20T14:51:12.955677Z\",\"id\":\"CVE-2026-23721\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"16.6.5\",\"matchCriteriaId\":\"4C6FE059-AB36-4883-AE55-2E65FDE51BD2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openproject:openproject:17.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"78FA3834-A1AB-4489-AE2A-2C7FAE9B619F\"}]}]}],\"references\":[{\"url\":\"https://github.com/opf/openproject/security/advisories/GHSA-vj77-wrc2-5h5h\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "redhat_vex": {
      "current_release_date": "2026-01-20T18:18:56+00:00",
      "cve": "CVE-2026-23721",
      "id": "CVE-2026-23721",
      "initial_release_date": "2026-01-01T00:00:00+00:00",
      "product_status:known_not_affected": "1",
      "source": "Red Hat CSAF VEX",
      "status": "final",
      "title": "OpenProject users with \"View Members\" permission in any project can view all Group memberships",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23721.json",
      "version": "3"
    },
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"OpenProject users with \\\"View Members\\\" permission in any project can view all Group memberships\", \"source\": {\"advisory\": \"GHSA-vj77-wrc2-5h5h\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"opf\", \"product\": \"openproject\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 16.6.5\"}, {\"status\": \"affected\", \"version\": \"= 17.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/opf/openproject/security/advisories/GHSA-vj77-wrc2-5h5h\", \"name\": \"https://github.com/opf/openproject/security/advisories/GHSA-vj77-wrc2-5h5h\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of. Prior to versions 17.0.1 and 16.6.5, due to a failed permission check, if a user had the View Members permission in any project, they could enumerate all Groups and view which other users are part of the group. The issue has been fixed in OpenProject 17.0.1 and 16.6.5. No known workarounds are available.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-19T17:52:35.307Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-23721\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-20T14:51:12.955677Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-01-20T14:51:17.311Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-23721\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-19T17:52:35.307Z\", \"dateReserved\": \"2026-01-15T15:45:01.955Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-19T17:52:35.307Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…