CVE-2026-22605
Unknown Unknown - Not Provided
Unauthorized Access via Meeting Details Exposure in OpenProject

Publication date: 2026-01-10

Last updated on: 2026-01-10

Assigner: GitHub, Inc.

Description
OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, the user does not have access to. This issue has been patched in version 16.6.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-01-10
Generated
2026-06-16
AI Q&A
2026-01-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22605
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
openproject openproject to 16.6.3 (exc)
openproject openproject to 16.6.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized users with the 'View Meetings' permission to access meeting details from projects they do not have access to, leading to unauthorized data exposure. This improper access control could potentially result in non-compliance with data protection regulations such as GDPR or HIPAA, which require strict controls on access to personal or sensitive information. However, the provided resources do not explicitly discuss compliance impacts or regulatory considerations. [1]

Executive Summary

CVE-2026-22605 is an Insecure Direct Object Reference (IDOR) vulnerability in OpenProject versions prior to 16.6.3. It allows users who have the 'View Meetings' permission on any project to access meeting details from projects they do not have permission to access. This happens because the system checks permissions against the project in the URL but then loads the meeting by its ID regardless of project ownership, leading to unauthorized data exposure. [1]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of meeting details from projects a user should not have access to. Since the 'View Meetings' permission is granted by default to all roles, many users could potentially view sensitive meeting information from other projects, leading to confidentiality breaches. There is no impact on integrity or availability. [1]

Detection Guidance

There are no specific detection commands or network indicators provided for this vulnerability. Detection would likely require reviewing user permissions and attempting to access meeting details across projects to verify unauthorized access, but no explicit commands or tools are mentioned.

Mitigation Strategies

Immediate mitigation steps include disabling the Meeting module or removing the 'View Meetings' permission from as many roles as possible until you can apply the update. The vulnerability is fixed in OpenProject version 16.6.3, so upgrading to this version is recommended. For those unable to upgrade immediately, a manual patch (21379-meeting-scope.patch) is available. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22605. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart