CVE-2026-22605
Unauthorized Access via Meeting Details Exposure in OpenProject
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openproject | openproject | to 16.6.3 (exc) |
| openproject | openproject | to 16.6.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized users with the 'View Meetings' permission to access meeting details from projects they do not have access to, leading to unauthorized data exposure. This improper access control could potentially result in non-compliance with data protection regulations such as GDPR or HIPAA, which require strict controls on access to personal or sensitive information. However, the provided resources do not explicitly discuss compliance impacts or regulatory considerations. [1]
Can you explain this vulnerability to me?
CVE-2026-22605 is an Insecure Direct Object Reference (IDOR) vulnerability in OpenProject versions prior to 16.6.3. It allows users who have the 'View Meetings' permission on any project to access meeting details from projects they do not have permission to access. This happens because the system checks permissions against the project in the URL but then loads the meeting by its ID regardless of project ownership, leading to unauthorized data exposure. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of meeting details from projects a user should not have access to. Since the 'View Meetings' permission is granted by default to all roles, many users could potentially view sensitive meeting information from other projects, leading to confidentiality breaches. There is no impact on integrity or availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or network indicators provided for this vulnerability. Detection would likely require reviewing user permissions and attempting to access meeting details across projects to verify unauthorized access, but no explicit commands or tools are mentioned.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling the Meeting module or removing the 'View Meetings' permission from as many roles as possible until you can apply the update. The vulnerability is fixed in OpenProject version 16.6.3, so upgrading to this version is recommended. For those unable to upgrade immediately, a manual patch (21379-meeting-scope.patch) is available. [1]