CVE-2026-23721
Unknown Unknown - Not Provided
Permission Bypass in OpenProject Groups Allows User Enumeration

Publication date: 2026-01-19

Last updated on: 2026-02-02

Assigner: GitHub, Inc.

Description
OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of. Prior to versions 17.0.1 and 16.6.5, due to a failed permission check, if a user had the View Members permission in any project, they could enumerate all Groups and view which other users are part of the group. The issue has been fixed in OpenProject 17.0.1 and 16.6.5. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-19
Last Modified
2026-02-02
Generated
2026-06-16
AI Q&A
2026-01-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23721
EUVD
EUVD-2026-3307
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
openproject openproject to 16.6.4 (inc)
openproject openproject to 17.0.0 (inc)
openproject openproject 17.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability can lead to unauthorized disclosure of group membership information, allowing users to enumerate all groups and see which users belong to them. This impacts confidentiality but does not affect integrity or availability of the system. Essentially, sensitive information about user group memberships could be exposed to users without proper authorization. [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade OpenProject to version 16.6.5 or 17.0.1 or later, where the issue has been fixed. No workarounds are available for remediation without upgrading. [1]

Executive Summary

This vulnerability in OpenProject allows users who have the 'View Members' permission in any project to see all groups and their members across the platform, even if they shouldn't have access to those groups. This happens because of a failed permission check that does not properly restrict group membership visibility to only those projects where the user has the appropriate permission. It was fixed in versions 16.6.5 and 17.0.1. [1]

Compliance Impact

The vulnerability allows unauthorized users with the 'View Members' permission in any project to enumerate all groups and view their membership lists, potentially exposing user membership information beyond intended access controls. This unintended disclosure of user information could lead to confidentiality breaches, which may impact compliance with data protection regulations such as GDPR or HIPAA that require strict control over personal and sensitive information. However, the provided resources do not explicitly discuss compliance implications. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23721. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart